Whilst the origins of digital currency can be traced to the late 20th century, the rocketing value of Bitcoin has seen the prominence of "cryptos" increase exponentially in the last few years. It remains to be seen whether denominations such as Bitcoin, Ethereum and Ripple represent a genuine revolution in finance or an unsustainable bubble "worse than tulip bulbs" (as JPMorgan chief executive Jamie Dimon so memorably put it). However, what is certain is that the burgeoning cryptocurrency market has proven attractive to investors and those with more nefarious intentions alike, presenting challenges for financial regulators and creating entirely new fields of potential litigation.
This article focuses on the cryptocurrency regulatory landscape, and two significant sources of cryptocurrency-related disputes: fraudulent Initial Coin Offerings (ICOs) and the hacking of cryptocurrency exchanges.
The regulatory landscape
The decentralised and user-controlled nature of the majority of cryptocurrencies has so far left the market in what has been described as a legal "twilight zone", as there remains very little protection in place for cryptocurrency issuers, exchanges or investors.
There remains little consensus on the best approach to policing the market, a divergence clearly illustrated as China and South Korea move toward blanket prohibitions on local companies and investors participating in ICOs, whilst in the UK the Financial Conduct Authority (FCA) continues to avoid making a definitive step.
The FCA currently does not regulate any crypto, so consumers and investors cannot rely on the protection which would usually be afforded by the regulatory framework when purchasing complex financial products. The FCA continues to issue statements urging potential investors to use caution when considering "very high-risk, speculative investments" in crypto, but it is yet to mark out its intentions to regulate the cryptocurrency space in the near future.
Similarly for the European Union, the ECB has determined that Bitcoin does not fall within the parameters of the EU Electronic Money Directive or the EU Payment Services Directive, which govern the execution of payment transactions with electronic money. The ECB concluded that, as there is no issuance on the receipt of funds, Bitcoin does not meet the criteria of electronic money. A disputed cryptocurrency transaction will therefore not have any recourse to resolution through these channels. Similarly, their nature leaves them beyond the scope of the Third Anti-Money Laundering Directive.
However, there are signs that the regulators are scrutinising the market more closely elsewhere, having originally dismissed the rise in Bitcoin as a craze which was likely to dissipate.
It appears that the US Securities and Exchange Commission (SEC) is conducting a period of watchful waiting before wading into the debate fully. A statement recently issued by Jay Clayton, the Chairman of the SEC, noted that concerns have been raised that cryptocurrency markets, as they are currently operating, feature substantially less investor protection than traditional securities markets, with correspondingly greater opportunities for fraud and manipulation. The onset of cryptocurrency-related class-actions in the US is forcing the regulator to consider whether its securities regulations will apply to digital tokens issued online to investors. Speaking to the Financial Times, Kathryn Haun of cryptocurrency exchange Coinbase suggested that the regulators were likely to "take their time and then make an example of one of the really big ICOs".
The Hong Kong Securities and Futures Commission (SFC) has adopted a similar approach, announcing on 9 February 2018 that it has formally warned seven cryptocurrency exchanges that they should not engage in trading cryptocurrencies which may constitute "securities" under local legislation. This action came in the wake of a number of complaints made by investors.
What is clear is that each of these regulators have recognised the need to warn issuers, exchanges and customers that seeking to ride the wave of cryptocurrency remains a high risk policy. It is notable that the early regulation focuses on the particularly volatile area of ICOs.
Initial Coin Offerings
2017 saw a substantial increase in the use of ICOs as a method of raising capital. The issuer lists tradeable assets known as "tokens" (as opposed to shares in an IPO) in exchange for investment to fund the development of a product, which is usually offered to the investors upon completion. For the legitimate issuer, an ICO represents an effective way to gain investment for innovative digital projects and their popularity with investors is a concurrent trend inherently linked to the rapid growth enjoyed by other cryptocurrencies; the three largest ICOs of 2017 (Filecoin, Tezos and Sirin Labs) raised a combined total of US$646 million.
However, despite the potential rewards on offer, there are clear risks for market participants on both sides of ICO transactions.
There have been a number of reports of ICOs wherein the issuing company or individual accepted investment with no intention of furthering any development. This year, the SEC stepped in to thwart a fraudulent ICO for the first time, halting a US$1bn offering operated by AriseBank in January after claiming it had made "materially false statements and omissions to induce investment" in its own cryptocurrency 'AriseCoin'.
In the event that investors have already paid into these schemes before suspension of trading, it is clear that their capital remains at risk; the FCA recently warned that over £87,000 was lost in the UK every day to fraudsters offering cryptocurrency investments which "typically promise high returns and use images of luxury items …. to entice people to invest". As noted above, the lack of legal framework in the majority of jurisdictions currently leaves those who have lost out with little recourse to assistance from their regulator. Any potential claims would likely rest on proving fraudulent misrepresentations made to the investors to induce investment.
Successful issuers meanwhile increasingly face the risk of claims by investors. In November 2017, the first proposed class-action was filed against Dynamic Ledger Solutions in the US District Court in Florida in respect of their ICO for tokens known as "Tezzies". The tokens were sold in order to fund Tezos, "a self-amending crypto-ledger" which the issuer continues to develop for release in 2018. The fundraiser represented one of the largest ICOs to date, yet news of the dispute (alongside reports of other internal governance issues) has caused reputational damage.
The action alleges that, despite their characterisation as a "non-refundable investment", Tezzies constitute a security for the purposes of US law and that the issuer accordingly acted in breach of securities legislation when advertising, offering and selling the tokens.
Whether the token offered in an ICO will be found to be a security will turn on the facts of each case and the regulatory framework of the jurisdiction of the claim; it is clear that regulators around the world will be paying close attention to the SEC's decision. However, it appears that given the current lack of clarity, any company or individual proposing to raise funds through an ICO should take qualified legal advice before any listing in order to ensure it is fully aware of the risks associated with doing so, to take steps to mitigate those risks and if necessary, comply with securities legislation in the relevant jurisdiction.
The hacking of cryptocurrency exchanges is becoming more and more frequent as exchange struggle to protect their customers' cryptos against increasingly sophisticated attacks.
Hackers have used a variety of methods of attack including taking advantage of an unencrypted backup of wallet keys (BitFloor, 2012), avoiding server security by fooling the exchange's hosting provider into rebooting the server in recovery mode (Canadian Bitcoins, 2014), and stealing cryptos that were stored in "hot wallets" (wallets connected to the internet) rather than "cold wallets" (wallets not connected to the internet) (Coincheck, 2018).
Exchanges and their customers have subsequently been left to deal with the fallout of the hacks, facing three options in particular.
Recovering the cryptos
Recovering cryptos stolen during hacks is incredibly difficult as the anonymised and de-centralised nature of the cryptocurrency system hinders the identification of the culprit and/or the location of the stolen cryptos. Even where hackers are identified, the stolen cryptos will often already have been dissipated, or stored in digital wallets to which the passkey is unknown.
Some hacked cryptocurrency exchanges, including Coincheck, have offered to compensate their customers in order to settle the dispute without the need for litigation.
Offering compensation allows the exchange to reassure current and prospective customers that they will be protected in the (hopefully unlikely) event that another hack occurs; this can be essential in preventing mass-withdrawals and the potential collapse of the exchange itself. A full and final settlement also provides the exchange with certainty of cost, enabling it to plan for this eventuality.
In order to make a settlement package, an exchange needs to make various considerations. For example, it must determine what amount of compensation to offer; this can prove difficult where the price of the crypto in question has changed substantially between the date of the hack and the date of the settlement offer. The exchange will also need to decide whether it is providing the compensation in the form of cryptos, physical currency or in another form such as shares in the exchange; this third option raises independent concerns of its own such as whether doing so would prevent the exchange operating in the manner it wants. Moreover, any compensation package would ideally bind all of the affected customers, otherwise lawsuits could be brought by those who are not bound; obtaining every customer's individual consent is likely to present a challenge given the number of customers who may be affected. Under English law, a scheme of arrangement offers a solution to this problem in that it enables a company to agree with at least 75% of its creditors (here, the loss-suffering customers) a compromise in respect of the debts owed by the company to those creditors. While traditionally used by companies in more standard insolvency situations, they could also be used to bind a hacked exchange's customers to a settlement. Unfortunately, not all jurisdictions have similar arrangements.
The aforementioned considerations and the divergences between the commercial interests of exchanges and their customers can make agreeing a settlement difficult; the prospect of litigation is therefore a serious one. Even with a settlement, the prospect of litigation may not be completely obviated; ten customers, frustrated at Coincheck's freezing of withdrawals, have since brought a separate claim in the Tokyo District Court to request the return of their currencies which are currently being held on the exchange.
The facts of the case will determine what claim(s), if any, could be brought against a hacked exchange by its customers. For example, under English law a breach of contract claim could be brought if the exchange is argued to have breached the agreement it had with its customers; a misrepresentation claim could be brought where the exchange is alleged to have made misrepresentations to the claimants, for example by claiming that it would store cryptocurrency cryptos in cold wallets but then storing them in hot ones; or a negligence claim could be brought where the claimants allege they were owed a duty of care by the exchange provider, and that this duty was not met.
The type of claim advanced and the success of the claim will depend on a number of factors, including: (i) the terms and conditions that governed the relationship between the hacked exchange and its customers who suffered a loss as a consequence of the hack; (ii) how the hack occurred and specifically, whether the customers who suffered a loss as a consequence of the hack were culpable in any way; and (iii) any representations made by the hacked exchange before or after the breach.
The decentralised nature of cryptocurrencies and the typically minimal documentation evincing the agreement between investors and exchanges mean that it is unlikely to be obvious which court has jurisdiction to hear a claim and what the applicable law of any claim should be. Claimants will likely continue to want to bring claims in jurisdictions which have either class or collective action regimes so as to minimise the costs of any action and to increase pressure on the defendant to reach a favourable settlement.
It is clear that the rapidly developing cryptocurrency market presents a broad scope for potential disputes. However, as regulators and lawmakers grapple with the challenges presented by utilising their existing regimes to police a supranational marketplace of anonymised transactions, it remains to be seen whether applicable legislation and civil procedure can be sufficiently adapted to protect those involved in the development of and investment in a potentially revolutionary new financial system.