Jenny Leung is an Australian attorney (New York Bar admission pending) who will be starting as a blockchain attorney at Blakemore Fallon in 2019. Formerly, she was an attorney at the Australian Securities and Investments Commission (ASIC) and a privacy consultant at PwC.

The following is an exclusive contribution to CoinDesk’s 2018 Year in Review.

7. Will the SEC define ‘sufficient decentralization?’

The SEC delivered some of its most important regulatory guidance of 2018 through conferences, interviews and personal statements. With each pronouncement, the SEC representative stated their views did not necessarily reflect the views of the SEC.

Looking back at the greatest hits, from “Every ICO I’ve seen is a security” to “If the network on which the token or coin is to function is sufficiently decentralized … the assets may not represent an investment contract” and “current offers and sales of ether are not securities transactions,” the SEC has not officially confirmed any of these statements and has instead clarified that staff views are non-binding and create no enforceable legal rights.

Although the SEC does not make law, it may release official guidance on these areas that will effectively set up goalposts for blockchain networks to achieve “sufficient decentralization.”

Even if some level of decentralization could bring token sales outside of the SEC’s jurisdiction, was SEC Commissioner William Hinman correct in saying that the ethereum network is sufficiently decentralized? At what stage would offers and sales of a token transform from a security to a non-security?

6. Will a crypto ETF be granted?

The last remaining cryptocurrency-based ETF application, the VanEck/SolidX Bitcoin ETF, may see an answer on February 27, 2019. Some key questions that remain are:

The scope of the term “significant markets.” To quote the VanEck SolidX Bitcoin Trust Presentation, “As issuers we are concerned the SEC staff have created a moving target in their use of the word ‘significant.’ The Staff have never provided guidance as to what ‘significant’ means, enabling them to move their goal post indefinitely.”

The correct interpretation of Securities Exchange Act of 1934 Section 6(b)(5), which requires that the rules of “the exchange” are designed to prevent fraudulent and manipulative acts and practices. Does “the exchange” refer to the national securities exchange where the ETF would trade, or the bitcoin spot market? See SEC Commissioner Hester Peirce’s dissent.

Whether the underlying bitcoin (or cryptocurrency) spot markets are indeed resistant to fraud and manipulation (and how the Department of Justice’s investigation into Tether will affect this analysis).

5. Can blockchain systems comply with privacy regulations?

The French Data Protection Authority (DPA), members of the EU Parliament and the EU Blockchain Observatory and Forum, are among the few governmental actors that have publicly acknowledged the tensions between blockchain and the GDPR, in particular the rules around the right to erasure, right to rectification and the principle of data minimization.

Some companies have simply blocked European residents from accessing their websites or services, but this may no longer be a feasible solution with California’s own privacy law (California Consumer Privacy Act) coming into effect in 2020 and the recent push for a U.S. federal privacy law.

A number of proposed solutions to GDPR compliance exist, such as zero-knowledge proofs and destruction of private keys, but it remains unclear whether they constitute methods of erasure or anonymization.

The French DPA has gone the furthest to suggest that solutions such as the destruction of private keys would allow data subjects to get closer to an effective exercise of their right of erasure.

Will the EU Data Protection Board issue guidelines and recommendations to “ensure that blockchain technology is compliant with EU law” as suggested by the Committee on Civil Liberties, Justice and Home Affairs?

4. Will international regulators work together?

As blockchain projects become more geographically decentralized, anonymous and/or censorship resistant, domestic regulators must tackle breaches of their laws by facilitating global coordination or, perhaps, harmonization of their securities, commodities, money transmitter, and tax laws.

In 2018, efforts arose from IOSCO, CPMI, G20 and FSB, OECD, and the EU Blockchain Partnership (launched by the EU Commission). However, it may be years before we see any real progress due to the differing approaches and attitudes of regulators and governments around the world.

How can the wide range of regulatory responses from different nations within these international organizations be reconciled?

Are crypto investors and blockchain companies really ‘flocking to Blockchain Island Malta in droves’ and if so, how will these new crypto friendly frameworks stack up against more established, but restrictive regimes, such as the U.S. securities law framework and years of established case law?

3. Will (and can) privacy coins be banned?

While cash and fiat transactions can be controlled and monitored through banks, financial institutions and customs agents, transactions in privacy coins such as zcash and monero may be more difficult to trace due to cryptographic techniques such as zero knowledge proofs and ring signatures.

Regulation could come in the form of outright bans or regulatory pressure (see reports on Japan’s Financial Security Agency pushing crypto exchanges to delist zcash, monero and other coins earlier this year). However privacy coins may still be tradeable on foreign crypto exchanges, P2P, on OTC markets, decentralized trading platforms, or websites such as localmonero which might escape the telescopic view of regulators.

Perhaps the most practical way to regulate privacy coins today is to allow them to be traded on regulated crypto exchanges, which could encourage trading under the watchful eye of regulators and create an initial auditable trail. After all, an on/off ramp trail is better than none.

For example, two regulated crypto exchanges, Gemini and Coinbase, recently began offering the trading of zcash. Both exchanges now allow withdrawals of zcash to be made to transparent addresses only, as opposed to shielded or private addresses. As a result, there is now a discoverable trail of the initial transaction which would not have existed had it been conducted off-exchange.

Will regulators around the world follow the U.S. approach in authorizing the listing of privacy coins on regulated exchanges or Japan’s approach in encouraging the delisting of privacy coins?

2. Will we be able to regulate decentralized exchanges?

Prior to 2018, many believed that DEXs were unstoppable and rarely any DEXs implemented know-your-customer (KYC) procedures. If it did, the community would not have considered it a “true” DEX – at best it was a non-custodial exchange with a central party controlling access.

In 2018, the SEC published guidance on online platforms for trading digital assets, ShapeShift reluctantly introduced KYC in the form of compulsory membership, and the SEC fined EtherDelta’s creator for causing software to violate the law requiring registration of securities exchanges. Perhaps in 2019, true DEXs will emerge and difficult regulatory questions will proliferate.

How do you regulate an unstoppable, headless unregistered securities exchange platform? How do you regulate the trading of privacy coins on these platforms? Will recent regulatory guidance push developers to go anonymous?

1. Will developers be held responsible for violations of law?

In corporate law, the “corporate veil” allows a corporation to be treated as a separate legal entity, insulating the company’s owners, in most cases, from personal liability for the company’s violations.

Somewhat analogously, a “tech veil” has helped code developers escape liability from state and federal regulations and civil lawsuits arising from bugs in, or third parties’ malicious use of, their code. This “tech veil” is maintained by courts’ willingness to uphold broad disclaimers in open source software licenses, and is bolstered by the principled argument that users (not coders) ultimately cause and should take responsibility for criminal violations of law (e.g. see Augur’s FAQ: “Augur is not a prediction market, it is a protocol for cryptocurrency users to create their own prediction markets”).

However, just as the corporate veil can be pierced under certain circumstances, the “tech veil” may be as well – and 2018 provided hints as to when this could occur: first, when CFTC Commissioner Brian Quintenz suggested that smart contract code developers could be prosecuted for wrong doing where it was reasonably foreseeable the code would likely be used by U.S. persons in a manner violative of CFTC regulations; and second, when the SEC charged Zachary Coburn (founder of EtherDelta and writer/deployer of the EtherDelta smart contract) with operating an unregistered national securities exchange.

What is or is not reasonably foreseeable in an age of constant innovation?

How, if at all, will courts and regulators distinguish between the role of the code writer, deployer of the code, and platform operator? Will the “tech veil” be pierced further in criminal or civil cases and if so, how will enforcement be affected by decentralized networks, unstoppable smart contracts and anonymous code developers?

We’ll have to wait for our answers in 2019.

Have an opinionated take on 2018? CoinDesk is seeking submissions for our 2018 in Review. Email news [at] to learn how to get involved.

Law library via Shutterstock