Regulation of crypto-tokens: Spotlight on the DFSA’s feedback statement

Taxonomy

In CP143, the DFSA opted for a broad definition of crypto-token that was taken from an earlier consultation paper published last year (CP136) and subsequently adopted in the Glossary (GLO) module. The regulator proposed that such crypto-tokens falling within this definition would include crypto currencies, hybrid utility tokens and asset referenced tokens. Certain tokens, which the DFSA called ‘Excluded Tokens, would fall outside the definition, these included non-fungible tokens (NFTs) and central bank digital currencies (CBDCs). In terms of utility tokens (UTs), these would be Excluded Tokens unless they were hybrid UTs. 

Definition

In the feedback statement, the DFSA reports that it has not made any major changes to the classification or definition of crypto-tokens. However, it has provided further guidance to the market on crypto-token taxonomy by providing a chart and table that provides a deeper dive into the application of the rules. In addition, the DFSA has also produced a crypto-token decision tree intended to help market participants classify the type of crypto-token they intend to operate and whether it will be permitted in the DIFC. The DFSA also states that when the regime commences (see below) it will put on its website an initial list of crypto-tokens that are recognised and that such crypto-tokens will not need to go through the formal recognition process.

Accepted Crypto Tokens

The DFSA reports that, as expected, there were a number of comments regarding its definition of a crypto token arguing that its definition is broadly aligned with that used by the Financial Action Taskforce (FATF) albeit that the DFSA changed “used” to something that is “used or intended to be used” and added “used as a medium of exchange” to further clarify the application¹.

In relation to fiat crypto-tokens, the DFSA has made changes in light of the confusion caused by the proposed use of the terms “Asset Reference Token” and “Fiat Crypto Token”. Any reference to “Asset Reference Token” has been removed. “Fiat Crypto Token” has now been defined as a crypto token whose value is determined by reference to a fiat currency or a combination of fiat currencies. Such crypto-tokens will need to undergo a recognition process and meet additional requirements set out in GEN² 3A.3.4(4). Where used by clearing houses, the fiat token will also need to meet additional governance and risk management criteria set out in AMI³ 7.2.5A.  Other crypto-tokens that reference their price against any asset, other than fiat currency, will not fall within the definition. Instead, they will fall within the wider definition of a crypto-token unless they are a derivative token or a security token.

Excluded tokens

The DFSA has kept in place the narrow definition of NFTs and has added further guidance to help market participants determine whether the crypto-token they wish to use is an NFT. The feedback statement also touches on “fractionalisation”, which is a process used to depart from the unique nature of the NFT where the token is distributed to multiple persons or relates to different reference assets.

In response to questions on gaming tokens the DFSA states that the key question will be whether the crypto-token will meet the narrow definition of an NFT or UFT. 
In terms of UFTs, the DFSA provides further examples and guidance in GEN and in the feedback statement deals with a common market misconception where the crypto currency is labelled a UT despite the token having the characteristics of a crypto-token that is used or intended to be used for investment purposes. The DFSA warns that it will not be relying on labels and will instead adopt a “substance over form” approach when classifying tokens. Authorised firms are prohibited from providing services relating to UFTs although licensed custodians in the DIFC may safeguard and administer these tokens on behalf of their clients.

Excluded tokens also include CBDCs but in contrast to NFTs and UTs, CBDCs may be used by authorised firms and their clients if and when they are made available to the public.

Designated Non-Financial Business or Profession – NFTs and UTs

A significant policy change that the DFSA has made is to bring both NFTs and UTs within the anti-money laundering / countering the financing of terrorism (AML/CFT) regime. Originally only NFTs would be in the regime but this has changed to counter the potential money laundering risks and provide a level playing field. 

The DFSA has inserted this requirement in AML 3.2.1 providing that a person who carries on the business or profession of issuing, or providing services related to, a NFT or UT must apply to the DFSA to be registered as a Designated Non-Financial Business or Profession. 

The feedback statement highlights the exclusion to this requirement which applies to issuers where each issue involves a single transaction, or series of multiple interrelated transactions that are equal to or less than USD 15,000 in value; or in the case of a service provider, where the service constitutes solely technology support or technology advice to an issuer. The DFSA clarifies that such exclusion will not apply to NTF exchanges, either operating in a centralised or decentralised manner, on the basis that they will not be viewed as solely providing a technology service as they also bring together buyers and sellers who wish to transact in NFTs.

Prohibited tokens

In CP143 the DFSA proposed banning privacy tokens and devices and algorithmic tokens. The DFSA confirms in the feedback statement that it is proceeding with the ban. It also provides further clarification on whether the use of VPNs and self-custody wallets would constitute a privacy device.

Recognition

In the feedback statement the DFSA reaffirms its consultation position that, despite many respondents arguing to the contrary, no financial services or activities can be undertaken with a crypto-token unless it is first recognised. This extends to derivatives transactions relating to crypto-tokens and to funds or portfolio managers that invest directly or indirectly in crypto tokens.

In terms of the recognition process itself, the DFSA has provided further information as to how it sees it working. For instance, the DFSA will generally issue a notice on its website of the fact that it has received an application for recognition of a specific crypto-token. It does not also rule out the possibility of receiving duplicate applications from separate firms. The DFSA feels that duplicative applications may be a useful source of insight on the same token, and will address them on a case-by-case basis.

The DFSA will publish a notice on its website every time a new crypto-token is recognised for use in the DIFC. The list on its website will be updated accordingly. It will also publish a notice when it decides not to recognise a crypto-token. The intention here is to help potential applicants avoid making an application that has been previously refused.
The feedback statement discusses the position as regards the recognition process in the event of forks⁴ and air-drops⁵. In terms of forks, the DFSA confirms that it will need to re-assess and conclude whether one or both tokens coming out of the fork are to retain recognition status. As forks are usually planned the DFSA states that applicants should, where possible, identify them and their expected effects when applying for initial recognition. For air-drops the recognition approach will be the same.

In relation to ongoing monitoring to ensure that the crypto-token remains suitable for recognition the DFSA states that this is not a daily obligation but one that requires vigilance from firms. The DFSA expects firms, in the normal course of business, to make themselves aware of changes or significant developments in products they offer to clients.

In line with its proposals in CP143 the DFSA will create an initial list of recognised crypto tokens that will not need separate recognition via the formal application process. Those crypto-tokens on the list will be recognised when the regime comes into force. Significantly, the DFSA states that the list will be a one-off exercise and whilst it can be altered it cannot be expanded.

The feedback statement also touches on the de-recognition process where a crypto-token’s recognised status is revoked. Importantly, the DFSA states that a crypto-token’s falling price should not of itself be a reason for de-recognition. Instead major hacks, serious fraud, lack of transparency are cited as potential reasons for revocation of recognition status. Where de-recognition occurs the DFSA will publish a notice on its website.

Requirements

The feedback statement covers various miscellaneous on-going requirements. These include:

• Despite some objections the requirement for technology governance and audit remains. The DFSA has clarified its expectations in this area in COB⁶ 15.8 and adjusted the requirements and expectations that a technology audit should be an audit of a firm’s compliance with the technology in 15.7. 
• Disclosure requirements for fiat crypto-tokens have been strengthened and added to COB 15.3.2 and, in respect of the Key Features Document, 15.3.1 and 15.5.1.
• Further guidance has been added to COB 15.5 regarding what the DFSA would consider “fair and balanced” when a firm provides forecasts for crypto-tokens based on past performance.
• The hair cut for professional clients has changed from 80% to 66% of the market value of the crypto-token. However, only recognised crypto-tokens may be taken into account.
• It is down to firms themselves to decide on the appropriate method of proving ownership in a crypto-token. The DFSA provides certain examples including that a firm may use a blockchain analytics firm, documentary evidence from a custodian, a demonstration of the client holding private keys in a hosted or un-hosted wallet or any other method they deem reliable.

Branches

The starting point is that the DFSA wants firms providing services in crypto-tokens to be incorporated in the DIFC. Significantly, the DFSA has, however, changed its position as consulted on in CP143 and is prepared to allow authorised firms in the DIFC, who are currently operating as a branch of a foreign financial institution, to continue operating as a branch and provide services relating to crypto-tokens without having to establish a DIFC body corporate. However, such authorised firms will need to meet the conditions set out in GEN 7.2.2(8) and these conditions include that the head office of the branch is authorised to carry on the crypto activity. This proposal will have the effect of prohibiting, at least for the foreseeable future, many DIFC firms which are established as branches from providing services in crypto-tokens, since many jurisdictions do not currently regulate crypto activities. 

Equivalence

The DFSA will publish on its website a list of regional and foreign jurisdictions that it has recognised as having an equivalent regulatory regime. The DFSA may recognise jurisdictions as being equivalent for only specific activities or services.

Funds

The feedback statement makes a number of points clarifying the position for the asset management industry. These include:

• Any business set up to manage assets that include crypto-tokens must be established in the DIFC and consist only of recognised crypto-tokens.
• The offering and marketing of funds of funds that contain crypto-tokens must consist of recognised crypto-tokens.
• The offering and marketing of exchange traded funds that contain crypto-tokens must consist of recognised crypto-tokens.
• Where a fund invests in another fund or entity which has a total exposure to crypto-tokens that does not exceed 5% of the gross value of the fund or entity, then those crypto-tokens do not have to be recognised crypto-tokens.
• No self-custody for funds consisting of crypto-tokens will be permitted.
• The DFSA has rejected the idea of a threshold for crypto-token funds.
• The DFSA will not allow foreign or external funds in relation to crypto-tokens to be offered or marketed in or from the DIFC, even to sophisticated investors. It will also not allow an external fund manager to manage a domestic (i.e. DIFC) fund that invests in crypto tokens.

Trading venues

The feedback statement also makes a number of points clarifying the position as regards trading venues. These include:

• The DFSA has changed its position as consulted on in CP143 that a crypto trading venue could be operated as either an exchange or a multilateral trading facility (MTF). The DFSA is now of the view that only an MTF will be permitted to be used as a trading venue for crypto-tokens.
• An operator of an MTF should carry out an appropriateness test for providing services relating to crypto-tokens.
• The DFSA has changed the position in terms of forums and the requirement in the Markets Law and the Code of Market Conduct that “all persons using the forum had equal access to information posted on that forum”. The DFSA has made a change to the text so that it is clear that the provision excludes the operator given that it will naturally have access to different information.
• Trading on own account by the operator is not permitted on their own venue under any circumstances.

Exposures

The DFSA confirms in the feedback statement that firms should treat any direct crypto exposures for prudential purposes using the following formula found in the Bank for International Settlements’ June 2022 consultation paper, Prudential treatment of cryptoasset exposures:

Risk-weight of 1250% * MAX [Long Positions; Short Positions]

where gross positions to Crypto Tokens are kept under 1% of Tier One Capital.

Implementation

The DFSA will be introducing a transition period for the new regime as trailed in CP143.

A six month transitional period will start on the date when the new rules come into force – 1 November 2022. However, the transitional period only applies to persons who before 1 November were authorised persons and were carrying on a financial services activity relating to a crypto-token. Furthermore, it only applies to the continuation of those same activities. Once the transitional period ends such authorised persons will need to have in place the correct permissions from the DFSA.

The feedback statement contains some useful information for those firms that wish to submit a pre-application form including a link where the form can be found (it will be available from 1 November) and the supporting documents that will be required.

Firms should also note that the transitional period does not relieve them from complying with key obligations such as the Principles for Authorised Firms, financial promotion requirements, market abuse provisions, AML requirements, provisions prohibiting misconduct (e.g.  misleading, deceptive, fraudulent or dishonest conduct), and the prohibition relating to the use of privacy tokens. Authorised firms looking to vary their licence, or new companies seeking a DFSA licence to carry out crypto token business will need to ensure that their AM/CFT policies and procedures are effective for combatting money laundering / terrorist financing risks associated with their business model.

Future work

Finally, the feedback statement contains a short section covering the DFSA’S future work on crypto-tokens. Among other things the DFSA accepts that there are areas in its Rulebook where further guidance is needed. Decentralised Finance (DeFi) is also touched on and the DFSA will be presenting its regulatory strategy on this in its next consultation on crypto-tokens.  In the meantime the DFSA has introduced (COB 15.6.5) a requirement that staking is permitted in the DIFC where facilitated or arranged by DFSA licensed entities, only where the activity is provided to non-retail clients and the purpose of the staking is for the borrower to take part in the proof-of-stake consensus mechanism for a recognised crypto-token.

Final comment

With the publication of the feedback statement and final rules authorised firms will need to assess whether they wish to vary their licence or, if they are a branch, whether they can. New firms looking to carry out crypto-token business will need to apply for a new licence. In both instances, the firm will need to be prepared and be able to show its fitness and readiness to operate a crypto-token business. In this regard the DFSA picks out the following that it will assess among other things:

• The business model and the firms understanding of the application of the DFSA rules.
• The level and fitness of the firm’s human and financial resources.
• The level of preparations the firm has undertaken to operate a regulated crypto-token business.

As mentioned above the DFSA has stated that further guidance is needed. But in the meantime it stresses that it expects both authorised firms looking to vary their licence and new firms to ensure that their AML/CFT policies and procedures are effective in combatting money laundering / terrorist financing risks associated with their business model. Firms that pose a higher level of money laundering / terrorist financing risk can expect to receive an increased level of supervisory focus.