I was lucky to interview Cherise Abela Grech, a lawyer specialising in financial services law, Distributed Ledger Technologies (DLT) and Blockchain, as well as cryptocurrencies. We have talked about Maltese regulation, ICO (Initial Coin Offering) vs STO (Security Token Offering), and the ICO process in Malta.
My name is Cherise, a senior associate at GTG Advocates, a law firm based in Valletta, Malta. My main areas of practice are financial services, more specifically the FinTech side of financial services. Right now I focus a lot on the financial services side of cryptos, which includes security token offerings, as well as licensing of any kind of companies that are working in the crypto sphere, also from a financial service point of view.
Coinisseur: Why is regulation needed in the first place?
Cherise: As we’ve seen in the last couple of years, the lack of regulation has allowed crypto activity to thrive, particularly because operators were allowed to function completely unhindered. If one wanted to raise capital through an ICO for example, that was pretty easy to do. If you wanted to operate some kind of exchange or other activity in a country that doesn’t have a very good regulatory regime, then you were allowed to do that. At the same time, when problems happen, when exchanges get hacked, when ICOs end up being scams, that’s when the investors and the users end up getting hit quite hard. At the end of the day, it is the local authorities and the local government that have to respond to these types of instances. I think that is one of the reasons why a number of countries, including Malta, have looked at creating legislation in this particular sphere.
C: How does the environment look like in Malta? I’ve read that in Malta the regulation is quite crypto-friendly, but banks are not.
Banks in Malta have, unfortunately, been a little hesitant when it comes to servicing companies that are active in the crypto sphere, which is a bit ironic given that the government has been pushing so much for the regulation of these types of companies. Unfortunately, banks sometimes find themselves with their hands tied. Malta is small and an island, so we are dependent on correspondent banks that don’t necessarily always understand the concept of cryptocurrencies, and particularly, regulated cryptocurrency companies. Certain banks in Malta might be willing to service crypto businesses but may find themselves with their hands tied behind their backs, because, for example, a correspondent bank does not allow them service. It’s an unfortunate reality that we’re facing, not just in Malta, but worldwide I would say. In fact, I think one of the biggest issues that crypto companies face is opening bank accounts (Coinisseur has covered this issue in this article) to allow them to operate even basic things like salaries to their employees.
C: How does the environment look like on a European level?
On a European level, I know that there are a number of EU initiatives that are trying to see how to regulate cryptocurrencies and cryptocurrency activities. I think the only form of regulation on an EU level is limited to the extent of anti-money laundering, such as the fifth AML directive, which is very limited, and it doesn’t even cover all the cryptocurrency activities that should actually be covered under AML. In Malta we adopted the 5th AML directive and went beyond it – we are covering different types of crypto-related activities, including issuers, exchanges, and different types of activities which are regulated under the Maltese VFA regime.
C: Are we moving towards a European regulatory framework?
In terms of creating an EU harmonized framework that regulates cryptocurrencies, I don’t really see that happening anytime soon. Even reaching a consensus will take a while, because different countries have different stances when it comes to the regulation of crypto assets. So there’s still quite a long way to go, unfortunately. Obviously, having a common EU framework would allow us to have what we have under traditional financial services, which is what most operators want, but unfortunately, I don’t see that happening anytime soon.
C: Let’s switch to the topic of ICO (Initial Coin Offering) vs STO (Security Token Offering), is there really a difference between them?
In Malta, the distinction between an ICO and an STO depends on the nature of the token that you’re trying to issue. Instead of calling them crypto assets or just cryptocurrencies we call them DLT assets, which we have classified into four different types.
We have the virtual token, which is a pure utility token. It’s very limited in nature because it cannot be traded on an exchange. The regulator does not consider it as having a lot of risks, as the use of a virtual token is very limited. Imagine having a token that operates on a gaming platform that is limited completely to that platform. It has no value outside of it. It poses less of a risk, both to the issuer and also the investor that is investing in that particular token. That type of token is completely unregulated.
Then you have the financial instrument. The financial instrument will include things like security tokens for example, and we’ve decided that those types of tokens should continue to be regulated under the traditional financial services in the EU.
We also have the electronic money token, which is basically a token that emulates electronic money. It should also be regulated under the traditional financial service legislation, more specifically, it is regulated under e-money.
Then, by exclusion, if a DLT asset is not a virtual token, not a financial instrument, and it is not electronic money, then it is what we call a virtual financial asset (VFA). The new law enacted in November 2018 aims to regulate this particular class of DLT.
For us, the distinction between an ICO and an STO is that when we’re talking about an ICO (which we are terming an IVFAO) it refers to the issue of a DLT asset that qualifies as a virtual financial asset (VFA), whereas in the case of an STO we’re talking about a DLT asset that qualifies as a financial instrument and is regulated under traditional financial services. So under the regulatory regime of Malta, there is quite a distinctive difference between them.
C: Not everybody needs to ICO. Have you ever advised a company NOT to ICO?
In 2017, and also at the beginning of 2018, the concept of an ICO was very much in demand. A lot of people wanted to do the next cool thing when it comes to raising capital, and ICO was the buzzword of the time. We got a lot of clients that were interested in doing an ICO to raise capital, but they didn’t necessarily always understand the concepts and what it means to do an ICO and using blockchain as a technology. There were cases where we advised clients “listen, based on your business model and based on what you want to do, this can be done without using DLT at all”. So yes, there were cases where we told the client that an ICO is not the way to go for their project.
C: Now let’s dive into the ICO/STO process. How does it look like in Malta and what should a company know before they launch an ICO?
Ideally, before anyone wants to do an ICO, one of the first things they need to consider is why are they doing an ICO – is this the way to go in terms of seeking funding? That’s step number one.
In Malta, the next step would be to do what we call a financial instrument test, which is a test devised by the local responsible authority, the MFSA, which helps distinguish and characterize the nature of the token into one of the four different types of DLT assets that I mentioned earlier. The test determines if the token is a virtual token, a financial instrument, electronic money, or a virtual financial asset. If the token is determined to be a virtual financial asset, then that particular token falls under the VFA regime as we call it, and then it qualifies as a pure ICO (IVFAO).
If someone wants to make an offer to the public of that particular token, then the next step would be to appoint what is known as a VFA agent. As far as I know, this is specific to Malta. I have not heard of other countries that have created this role of an intermediary for a licensing regime. Having said that, a lot of countries don’t have a licensing regime.
A VFA agent is usually a lawyer, an accountant, or an auditor that is licensed by the local authority (Malta Financial Services Authority, or MFSA) to represent clients in the VFA sphere that want to get some kind of authorization from the local authority. An issuer that wants to issue an ICO, or a service provider that wishes to get a license to offer VFA services, needs to appoint a VFA agent to guide them and represent them before the authority. In other words, the role of the VFA agent is that of an intermediary between the authority and the issuer or the service provider.
When the issuer has done the financial instrument test and has confirmed that they have a virtual financial asset, and when they have the VFA agent who endorses the determination of the test, drafting a white paper would be next on the list. The law says exactly what should be in the white paper. It is primarily intended to provide the necessary information for investors to make an informed decision before they invest in the ICO. Once that is done, the white paper would need to be registered with the local authority before the ICO can be officially issued.
Apart from that, the authority also requires an audit by a systems auditor. What the regime in Malta has done is, apart from being regulated by the local financial services authority, they have also created a completely separate authority, which is known as the Malta Digital Innovation Authority (MDIA). The MDIA offers certification to (usually) tech companies that operate as systems auditors. The role of the systems auditor is to review the smart contract that backs the ICO, to see that what is embedded into the smart contract follows exactly what the white paper says. For example, if the white paper says that following the investment by the investor (a year, for example) a token or some kind of return will be granted to the investor, the smart contract must show exactly what is included in the white paper. In short, the role of the systems auditor is to make sure that what is promised in the white paper will be automatically delivered in the smart contract, and it is a mandatory part of the registration process of the ICO.
Once a system audit has been done, you need to make sure that the AML and compliance officers are in place, and that there is GDPR compliance. The money-laundering reporting officer and a compliance officer make sure that AML is overseen and that the requirements of the authority are abided by. Once all those things are in place, you can register the white paper with the authority. Once that’s done (it has to be registered 10 days before the launch), you can finally issue your ICO and start collecting money.
C: Normally a white paper is legally non-binding, it’s just a document – in Malta, are the issuers responsible for the contents of their white paper by law?
In Malta, the contents of the white paper need to be abided by the issuer. That is one of the reasons why it is also registered with the local authority. In fact, it is also a part of the role of the VFA agent that I mentioned. In the case of an ICO, the role of the VFA agent is ongoing. If the issuer has set certain milestones within the white paper it is the role of the agent to make sure that the issuer is abiding by those milestones. If it isn’t, then the agent is bound to inform the authority that those milestones have not been reached. It doesn’t mean that you will be sanctioned just because you haven’t reached some milestones. There might be reasons, plausible reasons, why you haven’t. What the authority is after, is making sure to distinguish between the legit issuers that haven’t reached the milestones because of some legitimate reason and those issuers that have not reached the milestones because their intention is merely to run away with the money. To a certain extent, yes, I would say that the white paper would be a legally binding document.
C: I’d like to refer to your experience now: what are the areas that companies struggle the most with during the process?
We have to distinguish here between ICOs and STOs.
In the ICO sphere, the biggest difficulties that issuers face are from a regulatory point of view – they might not necessarily understand all of the requirements that they face, also from a banking point of view. As we’ve said, banks have been unfortunately a bit hesitant when it comes to opening accounts. So you might have collected a certain amount of cryptos and investment that you need to convert to fiat, and when it comes to withdrawing the money from an exchange and putting it into a bank account, that’s where you hit a brick wall. The bank will ask you where you got the money from, and suddenly you don’t pass a source of funds check that the bank wants to do. What the Maltese regulator has tried to do is implement safeguards: for example, the issuer of an ICO is required to do AML checks. Traditionally, when you have an IPO, the issuer is not deemed to be a subject person for AML purposes, but the regulator has said that for an ICO that is a requirement, because they understood that without that the issuer would still have problems along the way when it comes to depositing their fiat into a bank. You need to have certain checks in place, to make sure that if you have been provided with Bitcoin, for example, you need to make sure that that Bitcoin has not been tampered with the use of tumblers, mixers, etc. to make sure that it’s clean. That way you have a bit more peace of mind knowing that the money that you receive, that the source of that money, is clean. Those are the biggest issues from an ICO point of view.
When it comes to STOs, the biggest issue that issuers have right now is where to list their security token. Unfortunately, there aren’t a lot of exchanges at the moment for security tokens. You might issue a security token, do a private placement, for example, because it’s realistically easier as you don’t have to register the prospectus. But when it comes to listing, there aren’t a lot of exchanges that would be willing to list the token.
C: Do you think that doing an ICO/STO will be easier in the future? And will there be differences between how easy it is to do an ICO, and how easy it is to do an STO?
We are moving bit by bit, country by country, from an unregulated environment towards a regulated environment. You could say that it is now harder to do an ICO, compared to how it was, say, two years ago. Now you have to follow all these regulations and requirements. I think that is one of the reasons why ICOs were so popular in the first place, because startups had realized that raising capital under the traditional ways was just too hard, and they wanted a way to raise capital in an easier way (not necessarily in a non-legit way). Perhaps it was the industry’s answer to the regulators, saying “listen, what we have right now does not necessarily work for a start-up”. So from that point of view, I would say it’s harder. But at the same time, I think that as more regulation comes into force, in the end, it will just be pretty similar to what we already have, but perhaps more catered for the startup environment, which is more prevalent in the DLT sphere. Obviously, as time goes by, regulators become more aware of the industry. Once they understand the industry a bit more, they will be able to cater to the regulatory regime more in line with what the industry requires.
From an STO point of view, the regime has been there, at least in the EU, for a very long time, and I don’t see it changing. More than anything else what we can work on, and what we as a country are in fact working on, is making sure that the regime we have in place is actually able to cater to issuing a security that is on a DLT, and not a traditional security as we know it. So, to a certain extent, it would be easier in the security token sphere, as it will allow for more possibilities.