The Federal Government recently released a consultation paper (Consultation Paper), setting out the Government's proposed approach to licensing and regulating crypto asset secondary service providers (CASSPrs). This article unpacks the Consultation Paper, examines proposed concepts such as the CASSPr and definitions, and concludes with our early thoughts on the proposed legislative framework.
What is a CASSPr?
The proposed definition of CASSPrs would include service providers who give consumers and businesses access to crypto assets, including:
- custody and storage services – where software and hardware are used to store and handle private keys;
- exchange, brokerage and dealing services – facilitating access to crypto assets; and
- operating a market – facilitating the peer-to-peer exchange of crypto assets.
The proposed definition of a CASSPr in the Consultation Paper is: any natural or legal person who, as a business, conducts one or more of the following activities or operations on behalf of another natural or legal person:
- exchange between crypto assets and fiat currencies;
- exchange between one or more forms of crypto assets;
- transfer of crypto assets;
- safekeeping or administration of virtual assets or instruments enabling control over crypto assets; and
- participation in and provision of financial services related to an issuer's offer or sale of a crypto asset.
Consultation Paper Summary
The Consultation Paper covers the following:
- general overview of the crypto asset ecosystem in Australia;
- the existing regulatory framework, and the actual and perceived regulatory gaps;
- the proposed new licensing regime for CASSPrs;
- proposed mandatory custody obligations to safeguard private keys held by CASSPrs; and
- the Federal Government's current categorisation of crypto assets.
Existing Regulatory Framework
The existing regulatory framework is a combination of legislation, including the following:
- the Corporations Act 2001 (Cth) (Corporations Act);
- the Anti-Money Laundering and Counter-Terrorism Financing Act 2006 (Cth); and
- the Competition and Consumer Act 2010 (Cth), which includes the Australian Consumer Law.
A 'crypto asset' is defined by ASIC as "... a digital representation of value or contractual rights that can be transferred, stored or traded electronically, and whose ownership is either determined or otherwise substantially affected by a cryptographic proof". Thus, the Consultation Paper requests industry feedback on how appropriate this definition is and whether it should be the same across all Australian Regulatory frameworks.
The key question is whether a crypto asset is a 'financial product' under the Corporations Act or the Australian Securities and Investments Commission Act 2001 (ASIC Act). In summary, we generally consider a crypto asset a financial product if it lets a person:
- make a financial investment: if a person contributes money (or money's value) as consideration to someone to generate a financial return where the contributor does not have day-to-day control over the contribution's use. e.g. investing in a company in exchange for company shares;
- manage financial risk: if a person manages the financial consequences of particular circumstances happening or avoids or limits the financial consequences of fluctuations in (or value of) receipts or costs. e.g. insurance contracts;
- make a non-cash payment (NCP): a person makes an NCP if they make a payment or cause a payment to be made otherwise than through the physical delivery of Australian or foreign currency. e.g. online payments technology.
Furthermore, if a crypto asset satisfies the definition of a 'financial product', it will be governed by a range of disclosure obligations and market manipulation restrictions ASIC Act.
However, suppose a crypto asset does not satisfy the definition of a 'financial product'. In this case, we consider it as a consumer product meaning it is subject to the Australian Consumer Law and misleading and deceptive conduct restrictions at common law.
Crypto Asset Secondary Service Providers (CASSPrs)
For the following:
- custody and storage services CASSPrs: in circumstances where crypto assets are either (1) scheme property or (2) financial products, custody and storage providers must comply with the minimum safekeeping requirements under the Corporations Act; and
- exchange, brokerage and dealing services CASSPrs: where service providers facilitate fiat currency to crypto assets, they generally must register as a digital currency exchange (also referred to as DCEs) with AUSTRAC to meet anti-money laundering and counter-terrorism funding (AML/CTF) obligations which include Know Your Customer (KYC) requirements.
Further, suppose CASSPrs provide services relating to crypto assets considered financial products. In that case, these service providers will likely be subject to Australian financial services laws and may require an Australian Financial Services License (AFSL).
Challenges and Gaps in the Law
The Government has recognised the following challenges and gaps within the existing regulatory framework:
- Is it a 'financial product'? The difficulty in determining whether or not crypto assets fall within the definition of a financial product and which laws apply because of their variety of features and rights and increasingly novel use cases;
- Consumer risk: Consumers are exposed to high risk when making investments in crypto assets, and the current framework does not provide adequate consumer protection in the event of cybersecurity, operational or financial failures of service providers;
- Misperception of regulation: Consumers may assume that crypto assets and services are subject to regulatory oversight comparable to businesses that provide financial services; and
- Prevention of crime and fraud: Current AML/CTF laws relevant to CASSPrs do not apply a fit and proper person or good character tests, which may strengthen community protection against criminal activity.
Principles and Scope of Proposed Regime
The Consultation Paper identifies the need to introduce a licensing regime to cover certain CASSPrs who provide retail customers access to crypto assets that are not financial products. However, this regime would not apply to:
- decentralised platforms and protocols; or
- crypto assets that are financial products, as they will need to comply with the financial services regime.
In addition to this regime, obligations under the Australian Consumer Law and AML/CTF laws will continue to apply.
Licensing Regime for CASSPrs
The Consultation Paper discusses a licensing regime where there would be one type of licence for CASSPrs. However, obligations can vary depending on the services offered. The proposed obligations include the following. To:
- provide efficient, honest and fair services;
- maintain adequate technological and financial resources to manage risks and provide services;
- have adequate dispute resolution arrangements in place (internal and external);
- ensure directors and key persons responsible for operations are clearly identified fit and proper persons;
- maintain minimum financial requirements, such as capital requirements;
- comply with client money obligations;
- comply with all relevant Australian laws;
- take reasonable steps to ensure that the crypto assets it provides access to are "true to label" (i.e. not misleading or deceptive);
- respond promptly to ensure scams are not sold through their platform;
- not hawk specific crypto assets;
- be regularly audited by independent auditors;
- comply with AML.CTF obligations; and
- maintain adequate custody arrangements (see Custody Obligations below).
The Consultation Paper also considers two alternative approaches to this licensing regime:
- including crypto assets into the existing financial services regime; and
- self-regulating, where the industry will develop a voluntary code of conduct. However, in this scenario, AML/CTF Laws will still apply.
CASSPrs who have a direct relationship with the customer and provide custody services for crypto assets (whether or not the custody services are outsourced) will be subject to the following obligations:
- holding assets on trust for the consumer;
- ensuring that consumer assets are appropriately segregated;
- maintaining minimum financial requirements, such as capital requirements;
- ensuring that the private key custodian has the requisite expertise and infrastructure;
- generating and storing private keys to access a consumer's crypto assets in a way that minimises the risk of loss and unauthorised access;
- adopting signing approaches that minimise 'single point of failure' risk;
- robust cyber and physical security practices;
- independent verification of cybersecurity practices;
- adequate processes for redress and compensation if crypto assets held in custody are lost;
- when a third-party custodian is used, that CASSPrs have the appropriate competencies to assess the custodian's compliance with requirements; and
- ensuring any third-party custodians have robust systems and practices for the receipt, validation, review, reporting and execution of instructions from the CASSPr.
The Consultation Paper has also considered an alternative option, which relies on the industry to work collaboratively and self-regulate crypto asset custodians by developing a code of conduct. This approach will allow for flexibility and innovation when offering these custody services.
Regulatory Objectives of Proposed Changes
The primary reasons behind these proposed regulatory changes are the following. To:
- protect consumers and increase consumer confidence in dealing with CASSPrs; and
- progress towards regulatory certainty, which promotes innovation and competition.
To achieve this, the Federal Government has identified the following objectives for the proposed regulatory regime. To:
- ensure that regulation is fit for purpose, technology-neutral and risk-focused
- create a predictable, light touch, consistent and simple legal framework;
- avoid undue restrictions;
- recognise the unique nature of crypto assets; and
- harness the power of the private sector
The Consultation Paper demonstrates the Federal Government's willingness to address key risks to consumers and work collaboratively with the industry.
As a result, the proposed regime has the opportunity to establish a framework that is both safe for consumers and flexible enough to allow industry participants to build innovative products and services that can create enormous value for consumers.
This certainly challenges the general sentiment held by some in the industry that regulation slows innovation.
Furthermore, it is essential to address the existing regulatory gaps in the crypto asset industry. Overall, the Federal Government's proposed licensing regime will achieve this. However, the regime needs to be simple and not overly demanding to ensure that startups can participate as CASSPrs.
Concerning the custody obligations of CASSPrs, it seems as though a regulated industry code of conduct will provide enough flexibility and fitness for purpose to allow startups and other businesses to participate as CASSPrs in the crypto asset industry.
The Consultation Paper is a major development for the future of CASSPrs, and an exciting step for the future of the industry. LegalVision will be submitting feedback in response to the Consultation Paper. If you would like to understand how the obligations in the Consultation Paper will apply to you, our experienced fintech lawyers can assist as part of our LegalVision membership.