Babbitt First | Legal Regulations on Client Asset Protection of Crypto Asset Exchanges: From the Perspective of Related Rules in Canada and Hong Kong

Author's note: History has repeatedly proven and will continue to prove that accidents similar to Fcoin will not be an example. How to effectively protect customer assets is a major compliance issue that cryptocurrency exchanges in various countries need to face sooner or later. In response, Canada has expanded its regulatory scope, while Hong Kong has established special rules.

In the absence of or insufficient supervision, as long as customer assets are still under the control and control of the crypto asset exchange, similar to the recent cash exchange crisis of Fcoin and the early theft of Mt. Gox, it is difficult to completely avoid. How to effectively protect customer assets is a major issue that regulatory authorities and cryptocurrency exchanges will face sooner or later.

In the traditional securities market, the mechanism of "securities companies manage transactions and commercial banks manage funds", and client securities transaction settlement funds are managed by a third party has long been a relatively common market and regulatory practice. In the emerging crypto asset trading market, the protection of client assets is generally in a state of relatively extensive, lagging, and inadequate regulations. It is not uncommon for client assets in the exchange to be stolen, misappropriated, or embezzled.

In response to these problems, in order to maintain the safety of investors' assets and regulate the related behaviors of crypto asset exchanges, in recent years, relevant regulatory authorities in some countries and regions have issued preliminary rules, and some countries are studying and exploring regulatory frameworks. In the process.

For example, Japan revised the "Funding Settlement Algorithm" and related supporting regulations adopted in May 2016 to require crypto asset exchanges to separately manage their assets (including fiat currencies and virtual currencies) from investors' assets and accept audits by accountants ; " Statement on the regulatory framework for management companies, fund distributors and trading platform operators of virtual asset portfolios " issued by the Hong Kong Securities and Futures Commission (SFC) in November 2018, released in November 2019 " Position Book-Regulatory Virtual Asset Trading Platform " ("Position Book"); with reference to the regulatory measures it has adopted in the traditional securities market, it has formulated regulatory rules specifically applicable to the protection of client assets of crypto asset exchanges; and Canadian Securities Management Committee (CSA) and Canadian Investment Industry Regulatory Organization (IIROC) issued in March 2019 Advisory Document No. 21-402 " Proposed Framework for Crypto Asset Trading Platforms " ("Framework") and CSA in January 2020 No. 21-327 issued notice " guidelines on the promotion of physical applicable securities laws and regulations of encryption asset transactions " "Guidelines") are intended to reflect the Canadian regulatory requirements related to client asset protection encryption currency exchange.

The author has noticed that in terms of customer asset protection, Canada has a special issue of "who manages" (that is, the choice of regulatory objects), and the exchanges it intends to include in the country's securities regulations are not limited to The centralized exchange of securities tokens was launched, but actually expanded to a centralized exchange that controlled most of the customer's assets; Hong Kong was on the question of "how to manage" (that is, measures taken to protect customer assets) It is more distinctive and has formulated comprehensive, detailed rules specifically applicable to the protection of customers' encrypted assets. The regulatory efforts and efforts of these countries and regions on customer asset protection of crypto asset exchanges deserve the attention of regulators in other countries and related crypto asset exchanges.

1. Canada's proposed regulatory targets

(1) Criteria for determining the objects of supervision

According to the author's observations, some countries and regions that have established regulatory frameworks for crypto asset exchanges often consider whether the nature of crypto assets listed on the exchange is a security token as to whether such exchanges need to be regulated under the country's securities regulations. Main standards (such as the United States, Singapore, Hong Kong, etc.). If the crypto asset traded on the exchange includes at least one security token, it is usually subject to the securities regulations of that country; and if the exchange does not involve the transaction of securities tokens (such as trading only Bitcoin, Ether) Payment tokens or functional tokens, etc.), are generally not covered by the securities regulations of that country. In addition, because decentralized exchanges generally do not control customer assets, users' encrypted assets are kept by users themselves, and the transfer of encrypted assets between users is done through smart contracts, so from the perspective of customer asset protection, they are generally not affected by Securities regulations.

In addition to Hong Kong, in addition to Hong Kong, the exchanges that trade securities tokens are subject to supervision, and a judging factor that determines the scope of supervision has been added–that is, for exchanges that do not trade securities tokens, their Whether the investor “immediately delivers” customer assets after the transaction occurs, if not, then these exchanges that trade non-securities tokens are also under supervision.

(2) Reasons for including non-tradable securities token exchanges under supervision

1) The contract claim for the delivery of assets constitutes a "derivative"

According to CSA guidelines, even if the crypto assets traded on the exchange are not securities tokens, but commodities (such as Bitcoin), if the exchange does not “deliver” the crypto assets to investors immediately after the transaction, it will still The investor's assets are actually controlled, and the investor has only one contract claim right for the assets to be transferred by the exchange. The contractual rights of the investor may itself constitute derivatives (in some jurisdictions, such Contractual rights may be considered securities, investment contracts, debenture certificates, rights or equity certificates), so these exchanges are also subject to Canadian securities regulations.

2) Understanding and recognition of "immediate delivery"

According to the guidelines, crypto asset exchanges that meet the following two conditions are not covered by Canadian securities regulations: (a) crypto assets traded on the exchange do not constitute securities or derivatives; and (b) under the crypto asset purchase contract, the exchange It has the obligation to “deliver immediately” crypto assets to users, and according to trading practices, the exchange completes settlement by “delivering” crypto assets to users immediately.

The CSA pointed out that all transactions have no obligation and intention to "immediately deliver" encrypted assets to users, and there is no direct and clear judgment standard, which must be comprehensively judged in combination with factors such as written and unwritten terms, specific situations, trading practices, and other factors. Whether and when the exchange has completed "immediate delivery" also needs to be determined based on the principle of "substance over form", combining specific circumstances and economic essence.

According to the guidelines, "immediate delivery" can be considered to have occurred if: (a) the exchange has transferred the user's ownership, possession and control of crypto assets, and the user has the right to freely use and dispose of such crypto assets, Without having to involve or rely on the platform or its affiliates, and the platform or its affiliates do not have any security interests or other rights in such crypto assets; and (b) after the crypto assets are immediately delivered, users no longer face platform bankruptcy, Fraud, operations, professionalism and other risks.

3) The situation where a withdrawal request is required does not constitute "immediate delivery"

The CSA further stated that if the exchange only recorded transactions on its books (to prove that the user has purchased the relevant crypto assets, and the user has the right to receive such assets when making a withdrawal request), the exchange retains the crypto assets The right to ownership, possession and control of the transaction will only transfer the encrypted assets to the user-controlled wallet when the user requests it. In this case, the exchange has no obligation to "immediate delivery". Before the exchange transfers crypto assets into user-controlled wallets, users still need to continue to trust and rely on the exchange. They do not have the ownership, possession and control of the crypto assets they purchase. Users still bear the platform bankruptcy, fraud, operations, etc. risk.

In short, the exchange only records in its books that the customer's ownership of its assets does not constitute a delivery, because in order to be able to eventually receive crypto assets after requesting withdrawals, users still need to continue to rely on the exchange.

(3) Impact

Given that the current business model of most centralized exchanges (regardless of whether they are trading in securities tokens) is controlled by the exchange's users' encrypted assets (the user's encrypted assets are usually stored in the exchange's private key account, Users can obtain relevant crypto assets only after sending a withdrawal request to the exchange.) Therefore, according to the guidelines, centralized transactions that are currently established in Canada or that are not established in Canada but provide crypto asset trading services to Canadian residents All are within the jurisdiction of securities regulations across Canada. Canada introduced the "immediate delivery" judgment factor to extend the jurisdiction of the country's securities regulations to a centralized exchange that provides trading services for non-secure tokens.

In fact, from the perspective of the risk of theft, misappropriation, and embezzlement of client assets, customers face these risks not only on centralized exchanges that trade securities tokens, but also on non-secure token transactions. Centralized exchanges will also face the same risks. All cryptocurrency exchanges that control customer assets (regardless of the type of tokens they trade are securities, functional, and payment) are included in the regulatory scope, which is more helpful. Comprehensively protect the safety of customers' assets, especially at the current stage where centralized token exchanges that control customer assets occupy the mainstream at the moment when the characterization of the relevant tokens is not clear or controversial.

2. Customer asset protection measures taken in Hong Kong

Among the countries and regions where relevant crypto asset exchanges are under supervision, Hong Kong is currently one of the few regions that has developed clear rules specifically for customer asset protection. The regulatory rules formulated by Hong Kong not only refer to the customer funds protection measures adopted in the traditional securities market, but also take into account the special technical and business models of crypto asset exchanges and crypto assets, and protect client assets A more targeted guarantee mechanism has been set up.

SFC has set up a special chapter (mainly Chapter 7) on the client's asset protection in the position book, which is comprehensive and detailed, including requirements for asset custodian entities, opening of independent accounts, and internal control procedures (including account management, private keys) Management, adoption of wallet storage technology, deposit and withdrawal), establishment and implementation of information, information disclosure, continuous monitoring, insurance purchase, etc.

(1) Requirements for custodian entities

According to the position paper, in order to ensure that the client's assets (including currency issuance and virtual currency) are properly separated from the assets of the exchange, the operator of the exchange should hold client assets for its clients through a subsidiary. The subsidiary that accepts the client's asset custody must be a wholly-owned subsidiary of the exchange operator, incorporated in Hong Kong and holding a Hong Kong "trust or company service provider license".

For the purpose of holding and depositing client assets, the subsidiary shall open one or more separate accounts, and these accounts shall be designated as trust accounts or client accounts. The exchange operator should ensure that all client assets are held in such separate accounts. The subsidiary shall not engage in other businesses except for the collection, holding, processing and protection of client assets of the exchange in accordance with law.

(2) Establish and implement relevant internal procedures

In order to protect client assets, the exchange operator shall (and shall ensure the subsidiary; the same below) establish and implement internal policies and governance procedures regarding account management, including but not limited to the exchange shall not misappropriate, trade, or dispose of client assets, Store 98% of customer's encrypted assets offline, and minimize transactions of customer's encrypted assets stored offline.

To ensure that encrypted seeds and private keys can be generated, stored, and backed up securely, exchange operators should establish and implement strict internal control measures and control procedures on private key management.

To ensure that customers' encrypted assets are stored securely, exchange operators assess risks and implement appropriate storage solutions. In particular, they should keep wallet storage technology up-to-date and comply with international best practices or standards.

In order to prevent theft, fraud, and other losses caused by dishonesty and misconduct, exchange operators should establish clear and sufficient procedures for the deposit of customers' encrypted assets, and actively implement them.

(3) Information disclosure

The exchange should fully disclose to the client the custody arrangements of the client assets held on behalf of the client (including the rights and obligations of the parties, the way they store the client assets, etc.). Compensation arrangements, handling of customers' encrypted assets and related rights in the event of hard forks and airdrops.

(4) Continuous monitoring

The exchange operator shall appoint personnel to conduct regular internal audits to monitor the exchange's implementation of regulations and procedures regarding the storage and handling of client assets. The exchange should also closely monitor account activity and establish internal procedures on how to deal with the withdrawal of client assets in inactive or inactive accounts.

(5) Insurance purchase

The exchange operator should purchase relevant insurance for the customer's crypto assets related risks (such as theft, hacking, etc.), and the coverage should cover all crypto assets stored online and most crypto assets stored offline.

Centralized crypto asset exchanges that control customer assets without supervision were once invisible risk distribution centers. With the emergence of security incidents from several well-known and unknown exchanges around the world, these risks have gradually increased. Known by users and regulators. How to ensure the safety of customer assets is a problem that both regulators and exchanges need to consider.

For regulators in some countries, Canada's determination of the scope of cryptocurrency exchanges' regulatory scope, and Hong Kong's targeted regulatory measures have provided a reference for regulatory thinking and models. For centralized exchanges, ensuring the safety of customers' assets, in the long run, is not only to meet the needs of regulation, but also the need for exchanges to retain and win more users and to continue to develop.

Author: Zhang Ling, a partner at law firm Han

Disclaimer: This article only represents the personal opinions of the author and does not represent the opinions of the institution. The content of this article does not constitute legal advice and investment advice. If you need to reproduce or cite any content from this article, please indicate the author's name.