Managing the Risks of Crypto Assets for Buyers
In this article, I discuss with Neil Miller, founder at crypto due diligence firm TenIntelligence, the risks associated with purchasing crypto assets and how they may be mitigated and managed.
Fear of Missing Out
We are in the midst of a crypto asset-goldrush, with cryptocurrencies and NFTs being the must-have investment crypto assets.
However, cryptocurrencies and NFTs are so new, and the fear of missing out is so great, that many purchasers are not carrying out what might be termed ‘sensible’ or even ‘essential’ due diligence before buying. The result is an increased risk of loss (and in some cases, litigation); as we will explore in this article, the purchasers of crypto assets cannot rely solely on government regulation or lawyers (as good as they may be) to be their only protection or risk mitigation.
What is the Risk?
In the UK, unlike other forms of investments, crypto assets are currently largely unregulated. The press is reporting an increasing number of cases of fraud: from investment scams involving the mis-selling of cryptocurrencies at the Initial Coin Offering stage, to copyright infringing NFTs (leading to liability and loss for the purchaser), to the theft of tokens from crypto coin exchanges and wallets.
Whilst fraud can be reported to the Police/Action Fraud (and we would always suggest it should be in any event), the authorities often do not have sufficient resource to allocate to investigate and prosecute wrongdoers.
It is therefore left to specialist commercial litigators in many cases, to seek to enforce individual rights and recover assets.
The number of cases being brought in the English courts against coin exchanges, cryptocurrency and NFT creators (and traders) has increased exponentially over the last few months, keeping specialist lawyers in the crypto field, extremely busy.
Risk cannot be eliminated, and we therefore need to consider some practical ways in which to mitigate and manage the risks associated with purchasing crypto assets.
Is Regulation the answer to Risk Mitigation and Management?
In short, the answer is no, currently.
The UK government has plans to strengthen the rules on crypto asset advertisements and protect consumers from misleading claims, by bringing the promotion of crypto assets within the scope of financial promotions legislation. However, at the time of writing, such plans are yet to be implemented. The government says that it does not wish to stifle innovation in the crypto sector, however it wants to ensure greater safeguards are in place.
In respect of certain crypto assets, such as NFTs, they may fall within regulation if they match the criteria of either ‘electronic money’ (under the UK Electronic Money Regulations 2011) or a ‘security token’ (as a specific investment under the UK Financial Services and Markets Act 2000 (Regulated Activities) Order 2001). However, outside of those specific token definitions, there is little to no regulation or safeguards.
The Financial Conduct Authority (FCA) has taken steps to bring those carrying out crypto business in the UK within the existing Anti-Money Laundering (AML) and Counter-Terrorism Financing (CTF) regulations that cover other regulated businesses, however that may in practice do little to protect purchasers.
Those having to register with the FCA under the AML and CTF regulations include: Crypto asset exchange providers (including Crypto asset Automated Teller Machine (ATM), Peer to Peer Providers, those issuing new crypto assets, e.g Initial Coin Offering (ICO) or Initial Exchange Offerings), and wallet custodians.
The FCA’s responsibility under this regime is however limited to AML/CTF registration supervision and enforcement only. Registration under the MLRs does not mean that consumers will benefit from the protections of the Financial Ombudsman Service or the Financial Services Compensation Scheme (FSCS). Further, as most crypto assets are not “specified investments” it is unlikely that customers will have access to the Financial Ombudsman Service or FSCS.
The risk for purchasers of crypto assets here is also that if the business with which you are dealing is not registered when it should be, and is then subject to investigation and enforcement, it can have negative impact on your assets, leading to loss if those assets are seized.
It should be noted also that the HMRC are also now taking an active interest in crypto assets with their potential seizure: for example, HMRC has recently seized three NFTs as part of a probe into a suspected VAT fraud involving 250 alleged fake companies. See the article here.
In summary, one cannot rely solely on regulation at this time for risk management for a purchaser of crypto assets.
Are Lawyers the answer to Risk Management?
The answer is “yes, in part.”
Lawyers are often thought about too late in a transaction i.e. after the asset has been purchased. For example, if a crypto asset has been mis-sold or stolen, and the seizure and recovery of the assets or funds paid for the assets are sought, a legal action can be brought as a means of recovery however this is all after the event.
Legal actions in respect of crypto assets can be expensive and the costs are front-loaded, as the first steps in any such action are often to:
- trace the location of the crypto assets/funds;
- identify the perpetrators; and
- seek a proprietary injunction either over the assets themselves, or a freezing order over the assets of the perpetrators (or both).
There can be good chances of success in a legal action, however litigation always carries an element of risk.
Are lawyers only relevant after a purchase, when it goes wrong? Well, as we are discussing managing the risks of crypto assets, we would suggest that specialist crypto lawyers are retained to advise as to the risks of a particular purchase before it is made. For example, with an NFT it is necessary to consider the nature of intellectual property rights accompanying the token, and the relevant rights (including how the smart contract is drafted (purporting to grant those rights)). Due diligence on the asset and the rights accompanying it, is something we would recommend.
Lawyers do play a part in risk management from a due diligence standpoint, but they are not the only available resource or the sole answer to the question.
Is Practical Due Diligence the answer to Risk Management?
The answer to the above is ‘yes, in part’.
It is often true that ‘prevention is better than cure’ and that certainty applies in the case of crypto assets. It is interesting that due diligence is always carried out in corporate transactions involving the sale and purchase of companies or other high-value assets, and similarly in the art world where provenance of a work is key. However, it is often not the case with crypto assets, which can cost as much, or more than ‘traditional’ investment assets such as property, businesses, and physical artworks.
Due diligence should apply as much in crypto, as it does elsewhere. If we consider the example of an Initial Coin Offering (ICO), which is relatively common in the crypto world, the cryptocurrency will release a ‘white paper’ as a first step, which is a marketing tool that's used to persuade and influence investors.
There is no standard template for a crypto white paper, however it will typically include a project outline, the solution it purports to provide, an overview of the team behind the offering, information regarding the token release and marketplace considerations (typically the value, the number of tokens to be in circulation, and the platform on which they are to be issued), and a project roadmap.
The information about the team may include photographs, short biographies, links to LinkedIn and Twitter profiles; it is designed to establish trust. An investor should be confident that the team proposed is capable of delivering on the project’s promises (the solution). A whitepaper is just a marketing tool however, and it’s vital to see and trust the information it represents. So, why not undertake some due diligence on the people and other companies behind the offering before investing?
Further, a whitepaper is a living document, updated and edited as the project continues, therefore due diligence is something that is likely to be required to be updated as the whitepaper is updated.
Will applying existing Financial Crime compliance measures work?
“Yes, applying compliance measures is a proven technique to help mitigate risk”,
Neil Miller outlines below how TenIntelligence can assist with practical due diligence, which has become essential in the current market.
Good financial crime compliance and anti-money laundering directives all require organisations to introduce a risk-based approach to enhanced due diligence and fraud prevention measures. When assessing the risks of money laundering and terrorist financing, organisations should check whether any high-risk factors apply.
The biggest risk currently facing investors and crypto currency platforms is the anonymity and ambiguity of customers as well as some of the individuals and developers that are behind the companies offering crypto currency services themselves.
Although, Crypto currencies are not currently measured by Financial Action Task Force (“FATF”) as a high risk, they do recognise that compliance processes are required in relation to Virtual Assets (“VA”) and Virtual Asset Service Providers (“VASPs”), in particular with regard to:
- supervision or monitoring of VA, ICOs and their VASPs for anti-money laundering and counter finance terrorism purposes
- licensing or registration of VA, ICOs and VASPs
- fraud prevention measures, crypto due diligence, suspicious activity and transaction reporting
- enforcement and sanction measures for offenders
Customer Due Diligence – a risk based approach
Let’s start with customer due diligence. When dealing with individuals or investors established in high-risk jurisdictions, or are exposed to other cases of high risk, it is imperative that crypto companies identify the areas of risk and apply enhanced due diligence measures to manage and mitigate those risks appropriately. Specifically, to question:
- whether their customers are operating in geographical areas of higher risk, including areas of non AML/CTF legislation, significant levels of corruption, countries subject to UN sanctions and/or countries harbouring designated terrorist organisations
- are ownership structures of larger investors appear unusual or excessively complex given the nature of their business
- whether your organisation has received funds from unknown parties
- what information you collect from your customers? Can you demonstrate sound “KYC - know your customer” compliance? How do you verify the information gathered?
- whether any business relationships are conducted in unusual circumstances
ICOs, are they who they say they are?
Large and small investors will want to know who they are investing their assets with and the assurance that the ICOs are appropriate. Will talked earlier about ICO due diligence and although there is no required template for the ICO organisation to complete, investors can still perform background checks on the management and developers who are behind the ICO platform.
The fundamentals of background checks remain the same regardless of the industry, it is just applied differently. In the ICO example, our team would determine the ICO’s integrity, ability, reputation by performing open source intelligence and background checks on the senior management, board directors, relevant executives and shareholders of the ICO.
We would specifically be looking for adverse information and risk, including undisclosed red flags, conflicting findings, false or exaggerated statements and report these findings to the investor.
Background checks will include but not limited to verifying their qualifications and employment history, analysing their financial status, examining their record as a board director, identify whether there are any litigation, insolvency or court cases filed, as well as digging deeper via archived media and press articles, as well as possible exposure to sanctions lists and politically exposed persons.
If the required, an additional level of enhanced due diligence can be applied by providing investors with an independent analysis and assessment of the appropriateness of directors and developers’ professional background by speaking with former colleagues, clients and senior management that had previously worked with the individual.
All of these crypto due diligence measures, enhanced due diligence, industry insight interviews and regulatory references, allows investors to invest with more assurance, confidence and compliance.
In summary, the answer to mitigation and management of risk when buying crypto assets is a combined approach of legal advice, and practical due diligence.
The disputes arising out of crypto assets and the risk of such investments, is cause for a pause, and an active, informed, consideration of the steps that can be taken to understand and manage risk before proceeding with a purchase of a crypto asset.
The current crypto asset market is volatile and immature, presenting an elevated risk of loss, liability and in some cases, litigation. Due diligence before a purchase, that includes legal and practical investigation in our view is an essential step for any purchaser in managing their risk.