ICO Best Practices: the Good, the Bad & the Ugly
New Sheriffs in the ICO Town
Despite their highly volatile and risky "Wild Wild West" nature, there seems to be no stopping demand for buying into initial coin offerings ("IOCs"). The total amount raised from token sales, surpassed early stage investment spending from traditional VCs during the first half of 2017. (In June 2017, ICO funding reached over $550 million exceeding angel and seed VC funding.)
The euphoria surrounding ICOs has raised the concerns of global regulators. Into this Wild West atmosphere rode the new sheriffs. On September 4, 2017, China banned ICO funding (which most commentators view as temporary until China figures out what to do with ICOs), which it claims has “seriously disrupted the economic and financial order.” South Korea also recently banned ICOs too. This development follows a long line of warnings from Canada, Russia, Singapore, Israel, Hong Kong and the US about the possible disruptive effects of ICOs and the need for its regulation (for example under national securities laws) to protect investors' interests. Despite such warnings, token buyers continue on their business mindful that a massive shoot out between regulators and token developers may ensue at any moment breaking the current regulatory silence.
As in any classic Western movie, sooner or later the good sheriff will meet the villains face to face in a Mexican standoff. In the eerie silence of the face-off, the towns people rush to take cover from the ensuing gun-fight while the good sheriff stares-down the opposing motley crew of misfits, gangsters and cut-throats before drawing his silver-horn pistol and blazes away. Similarly, in the current surreal ICO world, regulators seem to be at a standoff against ICO token developers while token buyers wait in their cover on the final word of more ICOs regulations to come. Advocating best practices to be followed by token developers may release a lot of the dramatic tension that is holding the ICO world in suspense. Best practices help ease tensions between regulators and developers because they decrease the chances of regulators over-regulating the ICO market and token developers under-protecting token buyers' interests. If regulators see that the industry has adopted certain minimum best practices for ICOs to safeguard consumer rights, then they would not need to pass stringent ICOs regulations.
This essay argues that the ICO ecosystem would be best served by creating industry legal, accounting & financial, technology-oriented and governance-driven best practices. Rather than wait for the next big ICO scam to happen which may bring down the regulatory hammer on all legitimate ICOs and extinguish further financial innovations in this space, the ICO community should consider adopting self-regulatory best practice measures (explained below) for issuers to adopt on a volunteer basis. Also, the ICO community should begin to lobby their respective authorities to incorporate such best practices into any new rules. Promoting the adoption and usage of these best practices aims to assuage the prudential concerns of regulators by helping to set minimum standards to safeguard stakeholders' interests, protect the credibility of the overall ICO ecosystem and to act as a bridge with global regulators furthering the frank and open exchange of emerging technology trends.
Why Best Practices?
Best practices are helpful to both the ICO community and regulators. From the ICO community's perspective, best practices can be developed in real-time more quickly and agilely to address abuses in the system than time-consuming legislative or rule-making measures. From the regulatory viewpoint, they will be in a better position to govern without undercutting responsible innovations because best practices act as cushions against drastic one-size-fits all legal measures.
Overview of Major Best Practices
The primary goals of the following best practices are to align token developers and token holders' interests and provide meaningful information rights to token holders. Best practices are divided into four kinds: legal, accounting & financial, technology-oriented and governance-driven.
I) Legal Best Practices
1) ICO Certifications
There are a growing number of NGOs or SROs (self regulatory organizations) that offer ICO certification services. See here and here. The essential function of ICO certifications is to provide the prospective token holder with information about the nature and structure of the proposed ICO. It is not an endorsement of its potential for success. While they do not certify the underlying chances of commercial success of ICOs, they aim to review various assessments of the cryptocurrency platform of the issuer being in line with a set of minimum criteria such as the project legal domicile, reasons for choosing crypto financing over traditional fund raising methods, and token specifications.
The problem with ICO certifications is that it is highly dependent on the competency and independence of the certifying body to prevent manipulation and conflict of interests. Will they be technically competent to act as certifiers to be relied upon by retail investors who may not be sophisticated to do their own due diligence? Also, these certifying bodies are not government entities and there will be concerns about whether its shareholders, founders or executive team actually or potentially hold any interests or positions that either conflict with: (i) those of the prospective ICO issuer they are reviewing for certification; or (ii) prospective token buyers.
2) ICO Disclosure Document
One NGO proposed to create a document (similar to the US SEC's S-1 prospectus) that ICO issuers should complete for submission to a central registry for token buyers to access and read. This document requires the ICO to provide the following information:
Mission, goals & objectives;
Organizational structure & leadership;
Open source reference implementation ownership;
Open source community;
Existing business operations;
Company and ecosystem tokens;
Currency circulation cap;
Inflationary or deflationary currency;
Fundraising cap and market cap;
Exchange and liquidity;
Security procedure and audits;
Terms and conditions;
Declaration of risks; and
Background checks & declarations
Other information helpful to token buyers include whether there is any anti-dilution protection, binding contractual commitment to use best efforts to create the tokenized platform, contractual limits on how raised funds are to be expended (and limits on compensation), investor contractual rights and exclusive submission to a foreign forum for the resolution of disputes.
There is a major problem with disclosing the above information in a document to be filed with a non-governmental registry: lack of any guarantee that the information disclosed are adequate, timely or accurate. The private central registry has no enforcement power other than acting as a conduit for information (the quality of which may be suspect). First, every capital market lawyer knows that clever legal word-smithing and writing can disguise or "gloss over" inconvenient truths about a particular security offering. Therefore there is no assurance that any disclosure made in such a document filed with a central registry would be adequate. Often times, issuers intentionally make disclosures that are designed to comply with the bare legal requirement but gives only a minimum of useful information to investors. This is why for example the US Securities and Exchange Commission is mandated by law to review periodically every issuers' annual report filing (such as the 20-F for foreign issuers) to ensure that disclosures made are adequate, timely and accurate. If disclosures are not adequate for example, the US SEC will send a "comment letter" to the issuer to ask for further clarification and possibly a re-statement of its disclosure in egregious cases. The US SEC will continue to ask questions about the adequacy and accuracy of an issuer's disclosure until the US SEC is satisfied with the issuer's reply. If the issuer does not work to assuage the SEC's concerns, then the issuer must disclose the reasons for such failure in its next annual report.
In other words, there will be no enforcement teeth to a poorly written ICO disclosure document. If we are concerned about scammers in the ICO market, then scammers can easily write a disclosure document of little worth filled with flowery language and boilerplate disclaimers. Even worse, to unsophisticated token buyers, shady issuers can make their scams appear more legitimate in an "official" looking disclosure document.
II) Accounting & Financial Best Practices
1) Audited Financial Statements
A useful best practice would be for ICO issuers to make available audited financial statements to token buyers that track how funds received from token sales have been used and allocated. To what extent are certified public accountants able to audit the token issuer's financial statements meaningfully if only cryptos-money (not fiat money) has been paid by token buyers? Accounting rules like IFRS or GAAP in theory should apply to cyrptocurrencies in tracking the books of an ICO issuer because accounting rules are able to track the assets and liabilities denominated in different fiat currencies. Most token issuers will also need to convert some of the ICO proceeds into fiat currency to develop their protocol, pay staff and rent office space in the real world. These transactions are clearly amendable to being accounted under traditional accounting principles.
The key issue will be how accountants go about applying traditional principles of accounting to novel book-keeping situations created by crypto-assets. For example, accountants would need to figure out what sort of IFRS or GAAP treatment will apply to the payment of cryptocurrency by token buyers into a token fund. Accounting rules will also need to know the characteristics of a token in determining whether, how, and at what value the transaction should affect the issuer's financial statements.
2) Key Audit Focus Areas
On September 11, 2017, the Chief Accountant of the US SEC gave a speech on advancing high quality financial reporting and spoke specifically about accounting issues that apply to ICO issuers as follows:
- What are the necessary financial statement filing requirements?
- Are there liabilities requiring recognition or disclosure?
- Are there previously recognized assets that require de-recognition?
- Are there revenues or expenses requiring recognition or deferral?
- Is there a transaction with owners, resulting in debt or equity classification and possibly compensation expense?
- Are there implications for the provision for income taxes?
Requiring audited financial statements is more useful to token buyers than a disclosure document because numbers do not lie and are hard to gloss over under IFRS and GAAP principles as they are audited by an independent CPA.
3) Hedging Mechanisms
Some ICOs require the issuer to periodically buy back tokens. Also, most ICO issuers need to exchange cryptocurrencies paid to them by token buyers into hard fiat currency to pay real-world salaries, rent and operating fees & expenses. Both instances would subject the ICO issuer to significant losses inherent within any transaction that exchanges cryptocurrencies into fiat currencies and vice versa. This situation is similar to foreign exchange risks facing traditional companies when they need to exchange one currency for another. Real world companies mitigate such exchange rate risks by buying options, hedges and forward positions through the use of derivatives.
Currently it is difficult for ICO issuers to hedge crypto-fiat currency exchange risks because the corresponding derivatives market is relatively small and undeveloped. This is an area that needs further development and will most likely require assistance and participation by traditional swap-market makers and derivative exchanges.
Recently in July 2017, the US Commodity Futures Trading Commission ("CFTC") approved institutional bitcoin derivatives platform Ledgerx LLC as the first federally-regulated bitcoin options exchange and clearinghouse. Ledgerx plans to launch bitcoin options in the early fall of 2017, and ether options within a few months. Initially, Ledgerx expects to list one- to six-month option contracts for bitcoin. Other digital currency contracts such as ethereum (ETH) options are expected to follow,
ICO issuers need to adopt the financial best practice of hedging their crypto-fiat currency exchange risks by using regulator approved crypto options exchanges and clearinghouses. They should indicate in their white papers whether such hedging activities will be done to mitigate any exchange risks underlying any token buyouts or cryptocurrency conversions.
III) Technology-driven Best Practices
1) Information Security Safeguards
Phishing scams and other malicious attack vectors frequently plague ICO funding. Recently, hackers stole $500,000 in ether from supporters of the Enigma blockchain project following a cyberattack. Prior to the highly anticipated KIK ICO launch, hackers distributed a fake URL on social media proclaiming that the ICO had begun 40 minutes prior to the official launch which netted the hackers about 70.9 ether (about US$17,350 as of publication date).
Issuers should disclose how their cybersecurity safeguards can prevent scams that steal funds raised by the issuer or prevent funds from being re-directed from the issuer's account to the hackers' account. Phising scams are the most common schemes to steal from both issuers and token buyers. Therefore both issuer insiders and investors should be warned to bewary of messages sent to them from third party services, social media, and slackbots, and to track known scams by using the Ethereum Scam Database that currently lists 2,140 scams, 83 of which are active. Of course such disclosure should not be too detailed so as to reveal its cyber-defense to potential hackers.
Since introducing cybersecurity protocols helps prevent funds from being stolen, IT-driven best practices perfectly align token developer and token buyer's interests because they both lose out when ICO funds are misappropriated.
2) Code Verification
One of my friends who worked as a software developer for a major Silicon Valley e-commerce firm recommended that the protocol of the prospective ICO be certified by an independent third party. Certifying the protocol codes is an important step in protecting token buyers' interest before their ICO purchase. Some ICO protocols are rushed to the funding stage which leads to sloppy code writing which may undercut the efficacy of the protocol. Therefore having third party code certification goes a long way in making sure issuers are incentivized to spend sufficient time in writing solid codes for their protocols. For example, a smart contracts security firm recently audited the codes for the KIK ICO and published its full review of errors and corrections they discovered. When these errors were publicly disclosed, the community was able to use that information to assess the risk level of buying into the ICO.
3) Technology & IP Verification
I prefer the term "Techfin" over "fintech" because technology is the key driver of digitalizing finance. Without tech, fin would still be stuck in the 20th century. This is why it's important for all ICO issuers as a best practice to verify whether they have complied with all applicable procedural requirements relevant to the development, invention and commercialisation of its technologies and intellectual property rights (collectively, “Tech-IPs”). The disclosure provided would be publicly available to allow token buyers to gauge the scope, nature and perceived quality of the issuer's Tech-IPs. (I have written about this here in the context of stock exchanges adopting this as a listing requirement.)
Specifically, the ICO issuers should make binding representations and warranties as to the following non-exhaustive items:
- list of its issued patents, provisional patents, trademarks, service marks and copyrighted materials with issuing authority;
- whether its issued patents have been substantively reviewed for patentability by the relevant patent office by examining all relevant prior arts, subject matter eligibility, novelty and obviousness;
- whether the export of relevant technologies, data and software complies with applicable export control laws and cross border data privacy laws;
- whether it has duly paid all of its IP maintenance fees (such as annual patent fees) and complied with any upkeep requirements to keep its IP rights valid;
- whether any of its IP rights are or will likely be the subject of any controversy or litigation;
- whether it has protected its IP rights by using confidentiality and invention assignment agreements with current and former employees, founders, owners, consultants and relevant third parties) and whether there are any material exceptions therefrom (such as co-ownership rights retained by such persons); and
- whether the issuer possesses and develops any trade secrets (if so, the applicant should list the steps it has taken to preserve their secrecy and efforts made to provide proof of its authorship over its trade secrets).
IV) Governance-related Best Practices
1) Right to Vote on Scalability and other Protocol Upgrades
If a protocol becomes too popular and attracts a massive user base, then the protocol network will become congested. How will solutions to problems created by "scalability" be decided or implemented? Currently most tokens issued in ICOs are concentrated in the hands of early core development team and miners and empowers them to make decisions on protocol upgrades and amendments.
To address this issue, token buyers should be provided the right to vote on protocol upgrades. For example, Tezos (which already completed its ICO) expressly allows its users to do so. Its governance document says that its stakeholders can approve protocol upgrades that are then automatically deployed on the network:
"[w]hen a developer proposes a protocol upgrade, they can attach an invoice to be paid out to their address upon approval and inclusion of their upgrade. This approach provides a strong incentive for participation in the Tezos core development and further decentralizes the maintenance of the network."
It is unfortunate however that the token holders of Tezos would never get the chance to use the protocol upgrade voting mechanism given Tezos' dramatic implosion. On October 25, 2017, its contributors filed a class action lawsuit against Tezos' founders in California state court. It is uncertain whether the token holders would be able to have its class certified by the state court or even prevail on the merits because most ICOs deal documents require investors to waive all of their rights under very broad disclaimers and submit to binding private arbitration (in Switzerland in Tezos' case). The Tezos episode underscores the importance of implementing substantive best practices that protects investors' savings and rights. Regardless of the unfolding debacle of Tezos, at least the market can draw one important "lesson learned": the right for investors to vote on protocol upgrades, which is still a good idea and a right step in future governance documents.
2) Right to Vote on Other Key Governance Issues
The protocols running the networks of all ICOs are decentralized in nature. Ironically, the de facto operational control of an ICO issuer is highly centralized, perhaps more centralized than the ownership structure of most traditional corporations.
Currently, almost all ICOs do not include any governance mechanism that allows token buyers' input on the affairs of the ICO issuer. For example, a major governance problem in all ICOs is the lack of transparency on large ownership concentrations and vulnerability to price manipulation. Almost all ICOs do not offer any meaningful way for token buyers to have any say on key issuer affairs through an elected board with oversight over management. This is unfortunate because allowing token buyers to have an input on key governance issues permits the ICO issuer to police its own affairs itself (rather than have a centralized government regulator do so). The token users of a particular protocol would be the ones in the best position to understand how the network works so as to enable them to identify structural problems for remediation.
There are various ways to democratically empower token users to have a say on key governance affairs. ICO issuers can consider setting up a board of directors (which traditional corporations and partnerships use to oversee management) and allotting several board seats to be filled by candidates selected by token users. Through their representatives on the ICO issuer's board, token users can be in a position to act as overseers of its affairs and hence be in a position to protect their interests from being scammed, which is one of the prudential concerns of regulators. If the ICO industry enacts governance safeguards to give its users a say on key affairs, then regulators can view this step as lessening the need to enact stiff rules and regulations on ICOs. If token users can help themselves via governance best practices, then regulators would not need to help them do so via potentially draconian regulations.
Best Practices Incorporated into Future Law
The ICO community should proceed with an overall best practices setting strategy in three stages.
First, it should set best practices to be adopted as minimum industry standards to protect consumers' interests. The above best practices are a good start.
Second, it should lobby regulatory authorities to incorporate such best practices into future ICO laws. The goal for regulators would be to integrate any new rules with ICO best practices that can be used to satisfy regulatory requirements. For example, the US SEC's conflict minerals rule (Rule 13p-1 under the Securities Exchange Act of 1934) is integrated with industry best practices which are taken into account when assessing the reasonableness of a "country of origin inquiry". The SEC rule also expressly recognizes the OECD's Due Diligence Guidance for Responsible Supply Chains of Minerals from Conflict-Affected and High Risk Areas as satisfying the SEC's criteria and may be used as a framework for purposes of satisfying the conflict mineral rule’s requirement that an issuer exercise due diligence in determining the source and chain of custody of its conflict minerals (see page 206 of final rule here).
Third, the ICO community should establish an independent NGO or self regulatory organization with national chapters to:
- maintain a public registry of ICO issuers that comply with certain minimum best practices;
- promote the adoption of standards and accountability;
- revise best practices in light of changes caused by market conditions & emerging technologies;
- certify ICO issuers for their compliance with best practices; and
- raise ICO safety awareness worldwide.
For example in the hi-tech sector, the "EICC" was founded in 2004 by top tier electronics companies seeking to create an industry-wide standard on social, environmental and ethical issues in the electronics industry supply chain. Now the EICC counts as its members every major player in the hi-tech industry. The EICC sets codes of conduct on a wide range of topics relevant to the global electronics supply chain, from workers' rights to certifying smelters as conflict minerals free. In Techfin, key players should unite and form an entity with mission goals similar to the EICC but applied in the techfin space.
One day after the posting of this essay, on September 18, 2017, the Chamber of Digital Commerce, (headquartered in Washington, D.C., the Chamber is the world’s largest trade association representing the digital asset and blockchain industry) launched the "Token Alliance", an industry-led initiative to educate, promote and help shape the responsible growth of token and digital asset issuances. The Token Alliance is co-chaired by former Chairman of the US Commodity Futures Trading Commission, Dr. Jim Newsome, and former US Securities and Exchange Commissioner, Paul Atkins. The goals of the Token Alliance focus on:
- Education (educating and engaging policy makers and the public);
- Best Practices (developing industry best practices, frameworks and standards);
- Resources (providing key market data and analysis); and
- Policy (helping shape balanced legal frameworks that drive innovation and investment).
The Token Alliance is exactly the kind of lobbying force that the ICO industry needs to ensure that any ICO regulation will protect consumer interests without undercutting innovation. Its members include some of the most influential players in this space headed by two veteran former regulators with extensive ties in government circles. Will definitely report more about future Token Alliance initiatives. Stay tuned.
Standoffs are not good for regulators, ICO issuers, token buyers and the general ICO market because of the ensuing uncertainty they create. Regulators are waiting and studying the ICO mechanism, grappling with the technology underlying ICO protocols and how they fit into traditional securities regulation. ICO issuers continue to conduct the business of tokens issuance mindful that the regulatory sword of Damocles is constantly hanging over their heads with the imminent and ever-present perils of regulatory shutdowns, investigations and worse, future new rules that over-regulate and stifle innovation. Token buyers continue investing in tokens uncertain of how future rules would affect the legality of their tokens. The market in general suffers a discount to take into account these structural uncertainties. So nobody wins in a standoff.
ICO best practices are able to diffuse the drama, suspense and tension from the current ICO standoff and allow all stakeholders to benefit. Regulators benefits because they can watch and see how best practices are helping token buyers before they create new rules that carry the risk of over-regulating the ICO market. Issuers benefit because they are able to offer consumer protection that can be quickly adjusted in light of new market conditions, abuses and technological developments in a manner much faster than relying on time-consuming legislative rule-making process. Token consumers benefit because they get the best of both worlds: industry best practices that (with successful lobbying) can be integrated into future ICO legislation protecting their rights and benefits.
#techfin #fintech #ICO #ICObestpractices #tech #TradeSecrets #IP #Securities #Investorprotection, #Securitiesfraud, #Securitiesregulation #SEC #CFTC #DCblockchain #DCSummit