Summary of Findings

Selling tokens through an ICO without SEC registration requires escaping what we call the “Hinman paradox.” A token can only be widely distributed to the public if the project it is associated with is functional. But a blockchain project can only be functional if its tokens are widely distributed.

Blockchain projects with simple, well-defined, and compelling objectives may be able to achieve the requisite degree of functionality and de-centralization so they can sell utility tokens without being subject to securities regulation.

The SEC’s incremental approach to regulating ICOs reflects the difficulty of balancing the policy goals of protecting investors and promoting entrepreneurship. As the risk of harm to retail investors increases, the SEC should enforce the securities laws more decisively.

The SEC’s November 16, 2018 enforcement settlements send the message that non-functional token sales without a clear path towards de-centralization will not be tolerated.

The sudden rise of Initial Coin Offerings (ICOs) has created unprecedented challenges for the Securities & Exchange Commission (SEC). Rather than selling stock, ICOs typically raise funds by selling tokens (a type of cryptocurrency) to investors, many of whom hope to profit as the value of such tokens increases. Hundreds of companies developing projects relating to blockchain technology have sold tokens through ICOs directly to public investors without filing a registration statement with the SEC. Such sales are unlawful if such tokens fall within the ambiguous definition of a security.

Though there has been significant SEC scrutiny of ICOs for more than a year, according to a PWC report, in the first half of 2018, there were 56 ICOs that raised more than $1 billion in the U.S., compared to 87 ICOs that raised $1.7 billion in all of 2017. Billions more have been raised overseas. Many of these overseas ICOs do not bar U.S. investors.

While the last few months have seen the first federal district court ruling that a token is a security as well as a few SEC enforcement actions (on November 16, 2018, the SEC imposed penalties on two unregistered ICOs for the first time), the SEC has not provided much guidance as to when a token is a security. The most notable pronouncement was a speech this past summer by William Hinman, who heads its Corporate Finance division. Hinman took the position that Ether, a cryptocurrency that was initially sold through an ICO, was once a security but is no longer a security. The SEC announced a few weeks ago that this speech will be the basis for a forthcoming “plain language” guide relating to ICOs.

The regulation of ICOs is important not only because it raises basic questions about the reach of the federal securities laws, but because it illustrates the challenges the SEC has faced and will continue to face in regulating entrepreneurs. In this post, we ask and discuss four questions: (1) Why isn’t Ether a security? (2) When is a blockchain project functional? (3) Will the SEC stop ICOs? and (4) Is the rise of ICOs evidence that entrepreneurs have insufficient access to capital?

This post assumes some basic knowledge of cryptocurrencies and the Howey test, which specifies when an investment contract is a security.

Why Isn’t Ether a Security?

In a widely noted speech this past summer, William Hinman, the Director of the SEC’s Division of Corporate Finance, implied that Ether, an important cryptocurrency, is no longer a security. He started with a rhetorical question: can “a digital asset that was originally offered in a securities offering ever be later sold in a manner that does not constitute an offering of a security?” He answered with a “qualified” yes for “cases where there is no longer any central enterprise being invested in or where the digital asset is sold only to be used to purchase a good or service available through the network on which it was created.” In applying this framework, he concluded that “based on my understanding of the present state of Ether, the Ethereum network and its decentralized structure, current offers and sales of Ether are not securities transactions.”

Hinman’s speech raised the possibility that a token can start as a security and evolve into something else (we’ll call it a currency) that can be sold and traded without SEC regulation. The Division of Corporate Finance is influential because it regulates the sale of securities. In September of this year, SEC Chairman Jay Clayton endorsed Hinman’s analysis. Recently, the SEC announced that it would release a “plain language” guide on the application of the securities laws to tokens based on Hinman’s speech.

When it raised $18 million through an ICO, Ether was selling a security. The founders of Ethereum sold Ether to investors to fund the common enterprise of creating a platform to launch blockchain projects. While the investors had no right to any profits generated by Ethereum, they hoped that the value of Ether would increase after the platform was successfully completed.

In most cases, a security begins as a security and remains a security. Investors purchase stock from the issuer with the hope that it will rise in value. A market may arise where investors trade the security. The price of the security will mainly fluctuate based on the performance of the company that issued it.

Cryptocurrencies like Ether do not neatly fit into the category of an investment. In addition to having investment contract characteristics, a purchaser can use a cryptocurrency to access a service or platform once it is up and running. For example, Ether is used as a currency to pay third parties to verify transactions that are recorded on a blockchain ledger on the Ethereum platform. As described by the Ethereum white paper, “‘Ether’ is the main internal crypto-fuel of Ethereum, and is used to pay transaction fees.” Many ICOs involve utility tokens, which can be used to pay for services such as cloud storage or access to an ad-free internet browser. Because a token can be used to pay for services, it is difficult to classify solely as an investment.

At first glance, a utility token offering can be likened to the pre-sale of a product rather than the sale of a security. A diverse range of products, such as video games, have been funded from pre-sales on popular crowdfunding sites without SEC intervention. As the Ninth Circuit has noted in a different context, a transaction is not a security when “[t]he risk [the purchaser] assumed was that which any buyer takes when he pays in advance for goods to be delivered in the future.” Some of these pre-sales have raised millions of dollars and have not produced a viable product. For example, $58 million was raised in 2014 to develop the Star Citizen game, which has yet to be released.

One problem with this analogy is that the value of a commitment to purchase a product in advance will not fluctuate dramatically. With utility tokens, such fluctuation is likely and essential for the project to work. Individuals will only verify transactions if they believe that the tokens they receive for such verification will be worth something. Tokens will only have value if there is a secondary market where they can be traded. Such markets are less likely to arise without broad distribution of tokens to investors.

However, a utility token is not a security simply because its price fluctuates in secondary markets. Cases have held that contracts involving the sale of silver and gold bars are not securities. While the value of the contract could fluctuate, “once the purchase of silver bars was made, the profits to the investor depended upon the fluctuations of the silver market, not the managerial efforts” of a company. Some courts have found that such a gold or silver contract is not a security even when the precious mineral has not yet been extracted. Though it was a “close case,” the Ninth Circuit found in SEC v. Belmont Reid that the investor’s profit from such an investment arrangement would come primarily from market fluctuations. The California Court of Appeals in Moreland v. Department of Corporations came to a similar result, explaining:

The transportation, milling, refining and hallmarking of the gold are mechanical or manufacturing functions which would not appear to involve the exercise of significant managerial discretion in the use of the investor\’s money. Moreover, regardless of how competently or successfully appellant performs such functions, the bottom line of his agreement under the refining contract is a contractual commitment to deliver a fixed number of troy ounces of .999 pure gold for $250 an ounce.

Other courts have disagreed. Looking at the same investment contracts at issue in Moreland, the Ninth Circuit in S.E.C. v. R.G. Reynolds Enterprises, Inc. observed that

Moreland undertook to finance, construct, and operate the refining plant, to refine investors’ ore, and to deliver the gold to a reputable company for hallmarking and certification of its purity. These were the essential managerial efforts that would affect the success or failure of the Moreland Gold Program.

In cases where investor profits may come from a combination of managerial and market efforts, it can be difficult to predict whether a court will find that an investment contract is a security.

Most utility tokens can be distinguished from gold and silver contracts on a number of grounds. First, precious metals have been stores of value for thousands of years with liquid secondary markets. There is less confidence that utility tokens trade in a well-functioning market. Second, utility tokens do not have the same uniform quality as gold or silver bars. They look more like barrels of Scotch that require expert assessment to sort the good from the bad. As the Cardozo Blockchain Project explained, “[u]nlike physical commodities—such as gold, silver, or sugar—utility tokens are not homogenous and carry with them various rights, features, and obligations.” Third, the fluctuation of utility token prices will likely be tied to the fortunes of the underlying service or project that is being developed. The profitability of most tokens is tied to the “efforts of others” involved in the enterprise.

Returning to the example of Ether, there is an argument that Ether is now a store of value that somewhat resembles a currency like gold or silver (though it has a long way to go to have the same staying power as a currency as those precious metals). It has become an industry standard that is widely used to access the Ethereum platform. It trades in an established secondary market.

The SEC’s position that Ether is no longer a security could be based on some form of the risk capital test. Developed in an opinion written by California Supreme Court Chief Justice Roger Traynor, this test arose in a case where memberships were pre-sold to fund the construction of a new country club. While country club memberships are not typically securities, because there was a substantial risk of losing the funds if the country club was not completed, the court found that they were securities even though the value of the memberships was unlikely to increase in value. Presumably, once the country club was complete, memberships could be sold without being considered securities.

When is a Blockchain Project Functional?

The SEC’s position on Ether suggests that a cryptocurrency that is initially a security may evolve to become something else. The difficult question is determining the point when a venture has become so established that the value of a utility token is no longer tied to the “efforts of others” to run a profitable business.

The possibility that a cryptocurrency could start as a security and eventually achieve non-security status was anticipated in a white paper authored by lawyers from the law firm, Cooley LLP. It set forth a two-part process for selling tokens without registration through a Simple Agreement for Future Tokens (SAFT). In the first stage, investment contracts promising future delivery of tokens are sold to sophisticated investors without registration in private placements. In the second stage, after the project has reached a stage where the token is “functional,” the enterprise will sell utility tokens to the general public.

Although Director Hinman did not offer a clear answer on the validity of the SAFT, in a footnote to his speech, he observed that an implication of his analysis is that the SAFT may be a valid option. He wrote: “I believe a token once offered in a security offering can, depending on the circumstances, later be offered in a non-securities transaction.”

The challenge of adopting the SAFT proposal is the difficulty of knowing when a cryptocurrency is “functional” enough so that it ceases to become a security. The Cooley paper was vague on this point, asserting that “the market effect of a mere improvement on an already functional utility token is likely dwarfed by the multitude of other factors that act on it.” The problem is that the “multitude of other factors” could also include irrational exuberance by uninformed investors who believe there is profit potential to an investment.

If Ether is the standard, a blockchain project would have to be extremely successful for its tokens to be considered a currency. Ethereum is now the dominant platform that is used by a majority of blockchain projects. One study that looked at 453 ICOs found that 74% were on the Ethereum blockchain. Ether is a currency that is widely accepted in ICO transactions and for at least the last year has held significant, though fluctuating, value.

Lawyers at the Wilson Sonsini law firm have thus been skeptical that tokens for the vast majority of ICOs will evolve out of their initial security status. They propose that the second step of the SAFT transaction should involve a Regulation A+ offering. Such an offering would be less expensive than a traditional IPO but would still cost about $1 million for the issuer.

Even with Ether, questions remain as to the SEC’s position. The value of Ether is at least partly determined by the success of the Ethereum platform. If the platform becomes less successful, the value of Ether will surely fall (as it has over the past year). If it becomes even more successful, the value of Ether will surely rise. Ethereum is in a sense no different than a public corporation whose stock rises and falls based on its performance.

Perhaps the difference between Ethereum and a public company is that if Ethereum is truly a de-centralized venture, it has no central management that determines the success of the company. If so, an essential element of the Howey test is not met.

But there are questions about whether the Ethereum project is truly independent of its founders. About a year ago, the price of Ether plummeted after a report that its founder had died in a car crash. At that point in time, it would have been somewhat difficult to argue that Ether was not a security because its management was still critical to its operation.

It is unclear whether any blockchain project can ever be completely independent of its founders. Even the Ethereum platform requires some ongoing maintenance to function. It has a foundation that seeks to “promote and support” the platform. Would maintenance by some coordinating authority mean that the value of Ether is dependent on centralized management? Probably not. Even a country club needs maintenance over time, yet we do not think of country club memberships as securities.

But what if the goal of the foundation is to not only maintain the project but expand it? The Ethereum foundation has a research group that is “working on future versions of the Ethereum protocol.” If the foundation is working to improve Ethereum to increase the value of the Ether held by the members of the foundation, the foundation may resemble a centralized management team that is trying to increase a firm’s value. On the other hand, given the fast rate of innovation for blockchain technology, constant improvement may be necessary just to maintain a platform’s basic relevance.

Another challenge of achieving the decentralization that might free a token from its status as a security is that such decentralization requires wide distribution of the tokens. As attorneys from Wilson Sonsini have explained, “for many token platforms to operate efficiently, the platform must algorithmically or otherwise generate and pay tokens to miners, oracles, verifiers, or others who provide valuable services to the platform and the broader token ecosystem.” Therefore, “these tokens must be capable of being delivered to any person . . . and must be freely tradeable upon receipt. . . .”

Put another way, for a utility token to be distributed freely without regulation by the securities laws, it must be functional. But many utility tokens are only functional if they are distributed widely enough so that a de-centralized system arises. We call this the Hinman paradox (with apologies to Director Hinman).

The question is whether there are projects that can escape the Hinman paradox. One possibility is that an idea is so compelling, that enough users are willing to participate in the project without the prospect of immediate gains.

Ether may not be the right comparator for assessing which utility tokens are unlikely to be securities. The Ethereum project was extremely ambitious in seeking to establish a widely used platform for smart contracts. Most ICOs involve projects of more modest scope. To the extent that a smaller project can meet a discrete goal, it is more likely it will reach a level of functionality that would make its tokens fall outside the reach of the securities laws. Of course, the sellers of such utility tokens must also avoid problematic selling tactics that would encourage a speculative market in such tokens.

Another observation that should be made is that while a token like Ether could cease to become a security, it could also fall back into security status in certain circumstances. Suppose a single individual gains control of more than half of the Ethereum network’s processing power and could thus essentially control the platform. If that happened, it would be likely that the success of the platform would depend upon the decisions made by that individual.

Cryptocurrencies thus raise incredibly complex and interesting questions about the nature of securities. Director Hinman’s observations provide some clarity to the SEC’s position and raises the possibility that some blockchain projects could eventually sell utility tokens without registration.

Will the SEC Stop ICOs?

The SEC has moved in fits and starts to enforce the securities laws against unregistered ICOs. At first glance, such a strategy is puzzling given the likelihood that ICOs often involve securities that cannot be offered to the public. Why hasn’t the SEC acted more decisively to prevent investors from being defrauded?

Initially, regulators mainly brought enforcement actions against a small number of ICOs that were especially problematic. For example, the SEC’s DAO investigative report was prompted by the theft of cryptocurrency worth $60 million due to a security flaw. A federal criminal case was brought against an individual who falsely represented that the proceeds of the ICO would be invested in real estate but instead simply took the funds.

Perhaps the most notable cases involve tokens that attempt to lure investors with the promise of extraordinary returns. Even when there is a substantial argument that an ICO involves a utility token, if the token is offered to investors for its potential for appreciation, it is likely subject to SEC regulation. For example, if the value of a token is not tied to the profitability of a venture, it would not satisfy the requirement that the investor “expects profits.” However, if the sales materials describe the token as having profit potential, it would be offered in a way so that the investors would “expect profits.” Based on this principle, the SEC brought a case stopping the Munchee ICO. The MUN token sold in that ICO could be earned by writing restaurant reviews and might eventually have been accepted at reviewed restaurants for food purchases. It thus could have been viewed as a type of currency. But sales materials associated with the token promised profits. A video described the possibility of “199% GAINS on MUN token at ICO price!” and speculated “that a $1,000 investment could create a $94,000 return.”

Almost a year after it announced its initial efforts to investigate ICOs, the SEC took a major step on November 16, 2018 in bringing two enforcement cases against ICO projects that each imposed a substantial penalty of $250,000 and required registration of the issued tokens. In addition, the settlements took the unusual step of requiring the violators to inform their investors of their right to rescind the investment and get a refund. These settlements are a strong warning that the SEC intends to enforce its registration requirements.

The settlements provide some guidance about the types of ICOs that are likely to trigger enforcement. These projects were not functional and did not offer a roadmap to decentralization. One of the projects was essentially the expansion of a pre-existing business that sold discounted airtime on mobile phones. The other project offered a vague plan “to deploy a suite of blockchain enabled products to organize, systemize and bring verification and stability to the cannabis industry.” Projects that are further along with a clearer plan for decentralization might be more likely to avoid SEC enforcement.

Moreover, while the penalties were significant, consider that both ICOs raised about $15 million from investors. While some of the funds raised will have to be refunded to rescinding investors, assuming the funds have not been already squandered, there should be sufficient money to pay the penalties and register the tokens.

The SEC’s strategy of bringing a limited number of cases may reflect the SEC’s finite resources. Rather than police every ICO, the SEC may be targeting only the ones where it has an especially strong case. This may be a prudent approach because, as evidenced by a recent decision denying a preliminary injunction with respect to the Blockvest ICO, courts may not uniformly adopt the SEC’s views about when a token is a security. By targeting clear and significant violations, the SEC can incrementally build support for its enforcement program.

The SEC may not feel as much pressure to act because investors who are defrauded have private remedies that they can invoke. If investors establish in court that an unregistered ICO involves a security, they get a once-in-a-lifetime deal under Section 12(a)(1) of the Securities Act: If the cryptocurrency turns out to be a good investment, the investor can keep the investment. But because anyone who buys an unregistered security has the right to rescind the transaction, if it turns out to be a bad investment, the investor can get a full refund from the company. Moreover, if the company misrepresents the project in some way to investors, they have the right to bring a fraud suit to recover damages.

Of course, private suits have their limitations. A legal claim by investors will do no good if the founders of a company abscond with the funds. The statute of limitations for a rescission claim is one year, and so investors must act promptly to file a suit (but if there is a fraud, investors have more time to sue). Investors who purchase cryptocurrencies in secondary markets will find it more difficult to recover their losses.

Another factor is that the SEC faces significant pressure to promote entrepreneurship. Soon after he initially condemned ICOs as frauds, SEC Chairman Clayton suggested that rules governing private funding by entrepreneurs are too burdensome. The SEC is considering whether to liberalize such rules, in part so that retail investors can potentially invest at an early stage in the next Facebook or Google. The SEC must weigh competing policy goals—protecting investors while promoting capital raising. Its cautious enforcement approach may reflect the need to navigate both concerns at once.

A final reason the SEC may be proceeding incrementally is that ICOs are unlikely to completely revolutionize capital raising by start-up companies. Blockchain projects are unique in that they typically seek to achieve decentralization, which is the main basis for arguing that their token sales do not involve the sale of securities. More conventional ventures envision a business model with central management to run the business in perpetuity.

The risk of the SEC’s approach of mainly bringing cases against clearly problematic ICOs is that it sends mixed signals to the industry. As ICOs become normalized, entrepreneurs and investors will become accustomed to unregistered public offerings of tokens. Some investors will inevitably fall through the cracks and suffer substantial losses.

An argument could be made that investor losses in this context are acceptable because ICOs are part of a self-contained system. Cryptocurrencies may only be purchased by exchanging other digital currencies such as Bitcoin. In an ICO, the issuer sells a pre-functional cryptocurrency. That cryptocurrency itself is a smart-contract that is activated when a deposit of a more established cryptocurrency such as Bitcoin or Ether has been received. Thus, ICOs do not directly raise funds in the form of more traditional currencies such as dollars.

While many investors purchase Bitcoin or Ether on exchanges using dollars at current market prices, many investors obtained it by mining it or purchasing it before it rose exponentially in price. Much of the wealth stored in these cryptocurrencies represents capital gains by early investors. Regardless of whether it is invested in tokens, such gains could dissipate at any time if the price of Bitcoin and Ether were to collapse (indeed the price of both have declined significantly over the last year). If the main investment in ICOs represents speculative gains that are being reinvested, it is unclear whether there are strong policy reasons for the SEC to protect such investments. Most ICOs raise relatively small amounts from investors and are not listed on exchanges, making it less likely that a wide range of investors will purchase the tokens. Though significant amounts have been raised through ICOs, the total amount is a small percentage of the $300 billion market capitalization of Bitcoin and Ether.

However, if these investments are increasingly made by late investors in Bitcoin who purchase it for cash, as some regulators have suggested, there would be a stronger reason for the SEC to step in. The SEC’s September 2018 enforcement case against TokenLot, a “website platform” that called itself the “ICO Superstore” and sold tokens to more than 6000 retail investors, 23 and its November 2018 settlement with EtherDelta, a token trading platform that executed 3.6 million transactions over 18 months, could be part of a strategy to limit the potential damage of fraudulent ICOs.

In the announcement of the EtherDelta settlement, the SEC’s Co-Director of Enforcement observed: “We are witnessing a time of significant innovation in the securities markets with the use and application of distributed ledger technology . . . [b]ut to protect investors, this innovation necessitates the SEC’s thoughtful oversight of digital markets and enforcement of existing laws.” Though it has the power to stop ICOs, the SEC has recognized that it must act with care in regulating entrepreneurship.

Is the Rise of ICOs Evidence That Entrepreneurs Have Insufficient Access to Capital?

On the surface, it appears that there is more than enough private capital that entrepreneurs can draw upon to develop promising ideas. The explosion of ICO transactions may indicate that even private capital has costs that start-up companies seek to avoid.

Increasingly, entrepreneurship has been funded by private investors rather than public markets. The collapse of the first internet bubble showed that public investors are not truly willing to bear the risk of the volatile prospects of emerging companies. The Sarbanes-Oxley Act increased the expectation that public companies will invest in costly measures to prevent fraud. Companies that are not able or unwilling to commit to such compliance measures cannot sell securities to public investors.

Private venture capital and angel investors have filled in the gap to provide funding to start-up companies. Rather than raise funds from an initial public offering, the most promising entrepreneurs can raise similar amounts of capital from sophisticated investors in offerings that do not require SEC registration. Such private investment is available to founders with a strong track record or those with an idea that clearly has promise.

While private placements of securities do not require submitting to federal regulation, they do require the start-up to give up some ownership to an outside investor. The terms of private placements are negotiable, but most companies will have to cede significant control to their investors.

For entrepreneurs seeking to disrupt industries, even the gatekeepers of private capital are an unnecessary transaction cost. The internet offers a way to reach millions of potential investors who will not insist on control. Crowdfunding sites have shown that millions of dollars can be raised in small chunks for projects. Rather than go through the gauntlet of ivy league educated financiers, why not take a good idea directly to the public?

For blockchain evangelists, decentralized control of a project is even more compelling. Bitcoin was founded on the belief that a currency could be created that does not rely upon the stamp of a central bank. Blockchain projects build on the concept of Bitcoin by utilizing decentralized ledgers to verify transactions. Tokens allow a wide variety of participants to take part in such projects.

If blockchain has staying power as a technology, the SEC might consider expansion of its exemptions to facilitate ICOs. If the industry produces at least a handful of working, viable, projects, there would be a case that the SEC should relax its regulation of ICOs. Most projects raise modest amounts. A sample of 364 ICOs that issued tokens traded on an exchange raised an average of $15 million and median of $6.6 million. Modestly expanding the $1 million limit of the SEC’s crowdfunding exemption could provide a way for smaller blockchain projects to get started.

More effective self-regulation could help preempt the need for more extensive government intervention. The computer code that governs the ICO process could be programmed in such a way to provide investors with protection from fraud and theft by founders. A recent study finds that many ICOs do not contain such protections even though they could. Exchanges could require ICO projects to have such code before they are listed. The SEC could announce that the existence of protective code would weigh against the initiation of enforcement proceedings against a project.

Rather than a sign that capital is unavailable, ICOs are a first volley at the use of gatekeepers who intermediate the raising of capital from investors. The challenge of ICOs is that there must be a substitute for the gatekeepers who make an initial assessment that founders can be trusted and have a credible idea. The question is whether or not ICOs can find a meaningful substitute for such gatekeeping.

This post would not have been possible without the excellent research assistance of Howard Park. Thanks also to Nareg Essaghoolian, Joel Feuer, Veronica Reynolds, Daniel Tejumson, and Reginald Young for helpful comments, and to Daisy De Leon for formatting the report.

The complete publication, including footnotes, is available here.