Below is the keynote speech by Steven Maijoor, Chair of the European Securities and Markets Authority (ESMA), given at the 3rd Annual FinTech Conference – FinTech and Regulation on 26 February 2019 in Brussels.
Ladies and gentlemen,
Good afternoon, and it’s great to be back for this year’s event. Thank you to the organisers for inviting me to give this speech today. I will offer some thoughts about crypto-assets, a topic whose importance is reflected in the conference agenda. Crypto-assets and the underlying Distributed Ledger Technology, or DLT, command our attention because they are at the frontier of innovation. They therefore pose a challenge to firms, who seek to turn the promise of the frontier technology into workable business models. Likewise, crypto-assets and DLT pose a challenge toregulators, because they are partly in uncharted territory. We need to ensure our rules are clear and fit for purpose.
We have seen many interesting projects relating to DLT in financial markets. But increasingly, commentators and analysts are saying that it is time for firms to deliver on the technology’s early promise. For regulators such as ESMA, our task is to ensure that this happens ina clear regulatory framework that supports our objectives of investor protection and orderly markets.
Crypto-assets tend to attract media hype. This can heighten risks for investors, and also complicates the work of regulators. Despite the hype, we have to remain objective, with an open mind but a critical eye. I will start with a potted history of DLT, as a way to explain some of the challenges faced by firms. I will then turn to ESMA’s response.
DLT: early projects reveal challenges for firms
To start, then, let us retrace the path that DLT and crypto-assets have taken so far. This will allow us to survey the current landscape, and to seethe challenges faced by firms.
Crypto-assets have revolutionary origins. I mean this in a political as well as a technological sense:ideology was a motivating force for the technology in its early days. Early enthusiasts for Bitcoin, the first virtual currency, stressed how it could operate independently of any central authority. It is in essence an anarchic system, an extreme example of the disintermediation we often associate with FinTech.
It will not shock you to hear that I do not recommend anarchy as a way to organise a financial system. As a technological feat, Bitcoin was a remarkable achievement. However, it suffered from significant limitations. Creating immutable records required enormous computing power. And it did not solve the problem of trust, as decentralisation brought the risk of fraud and money laundering. Many regulators expressed concerns.
Meanwhile, some firms tried to apply variants of the original Bitcoin blockchain, known as permission-based’ or ‘private’ ledgers, to financial markets. To allow large-scale operations, they had to reduce the level of decentralisation. Decentralisation is hard to square with some of the features we need in financial markets, such as clear ownership, clear responsibilities and a degree of privacy. It also makes security very costly, financially and environmentally. You may have seen reports that Bitcoin mining has been consuming more energy than Ireland!
ESMA published a discussion paper on DLT in securities markets in 2016, followed by a report in early 2017. The report highlighted several possible benefits from the technology applied to securities markets, including post-trading activities, but also a series of challenges before DLT could be efficiently deployed. These challenges relate to the difficulties in scaling up the technology in a suitable manner, and are mostly yet to be solved.
We are still far from seeing widespread adoption from DLT by financial sector participants. Although it has revolutionary origins, DLT is not guaranteed to revolutionise financial markets. Whether firms can develop a ‘killer app’ will depend on whether they meet the challenges that stem from inherent features of the technology. And even if DLT becomes widely used, it may coexist with other technology, rather like apps for ride-hailing and accommodation existing alongside taxi firms and hotels.
I do not want to sound unduly negative on this last point, however. If DLT can make some processes within markets run better, it may also spur traditional operators to make improvements.
Crypto-assets: acute risks arise
During 2017, the spotlight shifted to Initial Coin Offerings, or ICOs. We saw substantial inflows to crypto-assets in general and ICOs in particular. ICOs have potential benefits as a new channel through which innovative businesses can raise capital. However, there are severe risks associated with many ICOs, as they operate at the fringes of the regulated world. The fact that many ICOs are located offshore should prompt investors to tread warily, but unfortunately many invest without understanding the risks, or even worse are taken in by outright scams. ESMA issued two statements in November 2017 to alert investors to the high risks of ICOs and to remind firms involved in ICO activities of their obligations under EU rules. But of course the risks associated with these assets persist.
Alongside ICOs, many virtual currencies experienced a huge price bubble during 2017 and early 2018. This prompted ESMA to issue a Warning, together with the other European Supervisory Authorities (ESAs) as we were concerned about the speculation around these instruments. Even at the height of the bubble, market capitalisation was small compared to other types of assets, even if some investors put all their savings into Bitcoin. This fact has reassured us from a financial stability perspective, but risks to investor protection remain acute.
Legally qualifying crypto-assets
I will now turn to our most recent work. By 2018, ESMA had published a report on DLT and made statements and warnings about various crypto-assets. We had addressed different aspects of the same underlying technology,highlighting both benefits and risks as appropriate. But there was now a clear need for a more systematic approach, as a full crypto-asset ecosystem was starting to emerge. With this in mind, and in line with the European Commission’s FinTech Action Plan, we started to assess the applicability of the existing rules to the emerging and very diverse population of crypto-assets. Our work highlighted a number of gaps and issues in the rules in this regard. In January this year, we published Advice to the European Commission, Parliament and Council and recommended that they consider these gaps and issues and address them where relevant.
How did we go about our work? A natural starting point was the legal qualification of crypto-assets. This in turn determines which rules are likely to apply. Analysis is hindered by the sheer variety of the subject matter: there are now over 2,000 crypto-assets outstanding, up from around 1,300 at the end of 2017, although Bitcoin, Ripple and Ether together represent about three-quarters of total market cap, and most of the volumes traded.
Some crypto-assets share features with traditional financial instruments, such as having dividend or governance rights attached. Others provide some utility or consumption rights. Still others, like Bitcoin, are meant to be used as a means of exchange for payment. Many have hybrid features, which may even evolve over time. This makes it plain to see that we cannot legally qualify crypto-assets via a ‘one size fits all’ approach.
To inform our work, we assessed six real cases with our national authorities. We wanted to know how Member States had transposed MiFID into their national laws and, based on that transposition, whether a sample set of crypto-assets qualified as financial instruments.
It turns out that most of our national authorities agree that some crypto-assets, such as those with attached profit rights, are likely to qualify as MiFID financial instruments, in which case they should be regulated as such. However, we will have to see whether the phenomenon is sustainable once brought within the regulatory remit. Many ICOs have raised large volumes because they have evaded certain regulatory requirements.
Meanwhile, a significant share of existing crypto-assets are likely to fall outside the rules, as things stand.
Unsolved problems: keys, forks and coding errors
When regulation applies, it is meant to be technology neutral. However, it was not designed with these new instruments in mind. The first main message of our Advice, therefore, is that there may be areas where the nature of crypto-assets, where they qualify as financial instruments,requires potential interpretation, or specific requirements need to be reconsidered, to allow an effective application of regulations. I will highlight three are as that we have analysed in detail.
First, there is a lack of clarity as to what activities qualify as custody or safekeeping. Clarity is crucial in light of the unique risks around custody and safekeeping in a DLT framework. In particular, I am thinking of private keys. Your private key is needed to dispose of your crypto-assets, and so private keys and digital wallets are a target of choice for cyber attackers. And cyber risk is not the only source of operational risk. Earlier this month, the QuadrigaCX cryptocurrency exchange said it could not access some USD 190m in Bitcoin and other funds after its founder and CEO, Gerald Cotten, sadly died aged 30. The funds could only be accessed using his encrypted laptop. New initiative such as decentralised trading platforms aim to mitigate these risks, but face their own challenges. Clarity is needed as to which type of activities may fall within the scope of the existing custody or safekeeping rules. Consideration should also be given as to whether current rules adequately address the unique risks posed by private keys.
Second, there is a need to consider the specific risks raised by ‘miners’ or ‘validating nodes’, considering the novel and fundamental role that they play in DLT. Also, the definition of settlement finality, a cornerstone of well-functioning financial market infrastructures, requires specific consideration. As an example, ‘permissionless’ DLTs, like the public Ethereum blockchain on which many ICOs are built, use algorithmic consensus to agree on a single version of the ledger. ‘Forks’ are possible in which two competing versions of the ledger run in parallel for some time. Features such as forks mean that permissionless DLTs, in their current form, are poorly suited to securities markets. Permission-based DLTs strive to address those issues, but have other shortcomings. We need to consider possible ways to address the specific risks raised by miners, bearing in mind that not all DLT set-ups are relevant to securities markets.
Third, risks stem from coding errors in the underlying protocol and in smart contracts. Also, few people are able to understand the intricacies of the technology, which exacerbates operational risks and the risk of fraud. Cases have been reported of ICO issuers siphoning off funds from supposedly secure DLT accounts or smart contracts. We need to make sure that our rules provide for relevant security safeguards as far as the DLT protocol and the smart contracts used on top are concerned.
Filling in the gaps
I have illustrated just some issues around the application of existing rules to crypto-assets. Other gaps and issues may require consideration, for instance in relation to pre-and post-trade transparency or reporting requirements. And we may need to reassess matters as the technology develops.
Now let me turn to the second key message of our recent Advice. Where crypto-assets do not qualify as MiFID financial instruments, they are likely to fall outside of ESMA’s remit. Meanwhile, we are aware that investors may not easily distinguish between those crypto-assets that are financial instruments and those that are not. Where crypto-assets do not qualify as financial instruments (and unless they qualify as e-money as discussed in EBA’s report), we are concerned that the absence of applicable financial rules leaves consumers exposed to substantial risks. EU policymakers should therefore consider ways to address the risks in a proportionate manner.
As a priority, we advise them to extend the scope of AML rules to all these activities that involve crypto-assets. In particular, we agree with EBA that providers of exchange services between crypto-assets and crypto-assets (and not only between crypto-assets and fiat currencies) and providers of financial services for ICOs should be within the scope of AML/CFT obligations.
In addition, appropriate disclosure requirements should be set up to ensure that consumers understand the risks of crypto-assets prior to investment. This would include requirements to provide relevant information on the issuer, the rights attached to the crypto-assets and the risks. Too often, we see so-called ICO ‘whitepapers’ emphasising the likelihood of financial returns to the detriment of risks to incentivise consumers to buy.
Importantly, we believe that a more elaborate bespoke regime for those crypto-assets that do not qualify as financial instruments is premature. The phenomenon is still novel and business models continue to evolve. A more elaborate regime may risk legitimising crypto-assets and encouraging greater participation. Any novel framework should also protect the integrity of existing capital markets and be flexible enough to capture the variety of risk factors that the different types of crypto-assets introduced.
I will conclude by noting that ESMA’s work will not stop with the publication of our Advice. As I have described, the history of DLT has revealed inherent challenges relating to governance, security, privacy and interoperability. We will continue to monitor markets closely to see whether firms are able to meet these challenges, enabling them to deliver DLT applications in securities markets at scale.
We will also continue to work closely with our national authorities to support a convergent approach to the supervision of crypto-assets, including in relation to their legal qualification, and other forms of financial innovation. As we heard this morning from Vice President Dombrovskis, an important new initiative is the EU Innovation Network, to be launched in April 2019 by the European Commission and the three ESAs. This follows a joint report on innovation hubs and sandboxes in the EU, which the ESAs published in January. The Network will bring together the national innovation hubs and regulatory sandboxes from the Member States to share best practices and promote regulatory and supervisory convergence for innovative businesses in the EU. Finally, because innovations are often global, ESMA will continue to actively cooperate with other regulators internationally, including through the FSB and IOSCO.
Thank you for listening.