Regulation and Compliance

In August 2022, the US Treasury sanctioned Tornado Cash - a smart contract for private transactions on Ethereum. Not a company, not a person - code. Circle instantly froze $75K in USDC, GitHub deleted the repository, and RPC providers blocked access. Developer Alexey Pertsev was arrested in the Netherlands and sentenced to 5 years 4 months. The crypto community was shocked: "code is law" collided with "law is law". Two years later, the European Union launched MiCA - the first comprehensive crypto law, which forced the world's largest stablecoin (USDT) off European exchanges. And the SEC had already sued dozens of projects for selling "unregistered securities", using a test from 1946. Can you regulate something that was built to be unregulated?

• **Tether (USDT)** - a stablecoin with $100B+ market cap - was delisted from European exchanges after MiCA took effect, because Tether has no e-money license in the EU and does not disclose reserve audits
• **SEC vs Ripple (2020-2023)** - the court ruled that the same token (XRP) can be a security when sold to institutions and not-a-security when bought on an exchange - creating a precedent where an asset's status depends on the context of the transaction, not the nature of the asset itself
• **VARA (Dubai)** - the world's first regulator created specifically for crypto assets (2022) - attracted Binance, Bybit, OKX, and hundreds of other companies fleeing regulatory uncertainty in the US and the strictness of MiCA in the EU

Предварительные знания

• DAO: Decentralized Governance

KYC/AML: Identification and Anti-Money Laundering

Bitcoin was conceived as "money without intermediaries" - no banks, no identity checks. But when the volume of crypto transactions reached trillions of dollars, governments demanded that the same rules applied to banks be applied to cryptocurrencies. **KYC (Know Your Customer)** - mandatory client identification: passport, selfie, proof of address. **AML (Anti-Money Laundering)** - a set of measures to prevent money laundering: transaction monitoring, suspicious activity reports, asset freezes.

The chief architect of global AML standards is **FATF (Financial Action Task Force)**, an intergovernmental organization created by the G7 in 1989. In 2019, FATF issued the **Travel Rule** - a requirement that for transfers above $1,000 (in some jurisdictions $3,000), both sender and recipient must be identified. For banks, this has been standard since 1996. For crypto exchanges, it was a revolution: now Binance, sending BTC to Coinbase, must transmit the sender's name, address, and ID. VASP-to-VASP (Virtual Asset Service Provider) communication required the creation of new protocols: **TRISA**, **TRP**, **OpenVASP**.

**On-chain analytics** fills the gaps that the Travel Rule does not cover. Companies **Chainalysis**, **TRM Labs**, **Elliptic** analyze blockchain transactions and build a graph of connections between addresses. Each address is assigned a risk score: "green" (exchange, known protocol), "yellow" (unknown, but no suspicious connections), "red" (connection to sanctioned addresses, darknet, ransomware). Chainalysis serves more than 100 government agencies, including the FBI, IRS, and Europol. In 2022, their data helped seize $3.6B in BTC stolen during the Bitfinex hack in 2016.

**OFAC and Tornado Cash (August 2022)** - a precedent that changed the industry. The US Treasury (OFAC) added the Tornado Cash **smart contract** to the SDN sanctions list - for the first time in history, sanctions were imposed not on a person or company, but on code. Result: Circle froze $75K in USDC at Tornado Cash addresses, GitHub deleted the repository, and RPC providers (Infura, Alchemy) began blocking calls to the contract. Tornado Cash developer Alexey Pertsev was arrested in the Netherlands and sentenced to 5 years 4 months. The court ruled: even if code is open-source and autonomous, its creator bears responsibility for its use.

**Compliant DeFi** - an attempt to combine DeFi with regulation. **Aave Arc** (launched in 2022) is a permissioned version of Aave where only KYC-verified users whitelisted by operator Fireblocks can access it. **Compound Treasury** allows institutional investors to earn a fixed yield in USDC through a compliance wrapper. **Maple Finance** provides under-collateralized loans to institutional borrowers after KYC. The paradox: "compliant DeFi" preserves the technology (smart contracts, transparency) but abandons permissionless access - DeFi's primary principle.

Security Tokens: When a Token Becomes a Security

In 2017-2018, the ICO boom raised $20B+: projects issued "utility tokens", claiming they provided "access to a platform", not an investment. The SEC thought otherwise. The key regulatory question: is a token a **security**? If yes - it falls under securities laws: registration, disclosure, sales restrictions, investor protection. If not - it is a commodity, utility, or something entirely new.

The primary classification tool is the **Howey Test**, established by the US Supreme Court in 1946 in SEC v. W.J. Howey Co. Four criteria: 1. an investment of money 2. in a common enterprise 3. with an expectation of profit 4. derived from the efforts of others. If all four are yes, the token is a security. Most 2017 ICO tokens qualify: investors contributed ETH (money), to a team's project (common enterprise), expecting price appreciation (profit), due to the developers' work (efforts of others).

**SEC vs Ripple (2020-2023)** - the case that defined the boundaries of regulation. The SEC accused Ripple Labs of selling unregistered securities (XRP) totaling $1.3B. In July 2023, the court issued a partial ruling: **programmatic sales** (sales on secondary markets through exchanges) are **not a security**, because a buyer on an exchange does not know whether money is going to Ripple. But **institutional sales** (direct sales to funds) **are a security**, because investors expected profit from Ripple's efforts. This ruling created a dual precedent: the same token can be a security in one context and not-a-security in another.

**Security Token Offerings (STO)** - a legal alternative to ICOs. Unlike ICOs, STOs are registered with regulators or use exemptions: **Reg D** (sales only to accredited investors - wealthy individuals with income >$200K/year), **Reg S** (sales outside the US), **Reg A+** (up to $75M with simplified registration). Tokenized securities are traditional assets (stocks, bonds, real estate) represented as tokens on the blockchain. The BlackRock BUIDL Fund ($500M+) - tokenized US Treasuries on Ethereum, accessible via KYC.

The **EU** approaches the question differently. Instead of applying old law (like the Howey Test from 1946), the EU developed a **Prospectus Regulation** - if a token qualifies as a transferable security, the issuer must publish a prospectus (disclosure document). But the definition of "security" in the EU is not identical to the American one: a governance token that grants voting rights but does not promise profit may not be a security under European law, but could be under American law. This asymmetry creates headaches for projects operating globally.

MiCA: The First Comprehensive Crypto Law

While the SEC regulated crypto through enforcement actions (suing projects after the fact), the European Union took a different approach - writing a law from scratch. **MiCA (Markets in Crypto-Assets Regulation)** is the world's first comprehensive legal framework for crypto assets, adopted in 2023 and entering into force in 2024. MiCA creates uniform rules for all 27 EU member states: instead of obtaining a license in each country, a crypto company gets a single CASP license and operates across the entire European Union.

MiCA divides crypto assets into **three categories**, each with its own requirements. **EMT (E-Money Tokens)** - stablecoins pegged to a single fiat currency (USDC, USDT). An EMT issuer must be a licensed credit or e-money institution, hold 100% reserves in EU banks, and guarantee the right of redemption at par at any time. **ART (Asset-Referenced Tokens)** - tokens pegged to a basket of assets or multiple currencies (formerly Facebook's Libra/Diem). ARTs have the strictest requirements: capital from €350K to €5M, stress-testing of reserves, transaction volume limits. **Other crypto assets** - everything that does not fall into the first two categories: Bitcoin, Ethereum, governance tokens, utility tokens.

**MiCA's impact on stablecoins** - the most visible effect. Tether (USDT), the largest stablecoin ($100B+ market cap), does not meet MiCA requirements: the company is incorporated in the BVI, holds no e-money license in the EU, and does not provide full reserve transparency. Result: European exchanges (Bitstamp, Kraken EU, OKX EU) were forced to **delist USDT** for European users. Circle (USDC), in contrast, obtained an e-money license in France and became a MiCA beneficiary - USDC's share on European exchanges grew.

**MiCA vs SEC: two approaches to regulation.** The SEC uses an **enforcement-first** approach: there is no special crypto law; the regulator applies existing laws from the 1930s-40s and files lawsuits. Projects learn the rules only after they have already broken them. MiCA uses a **legislation-first** approach: the law comes first, enforcement later. Companies know the rules in advance and can prepare. MiCA's advantage - legal certainty: a CASP license provides an unambiguous right to operate. The SEC approach's advantage - flexibility: the law adapts to new technology through legal precedents, not through a years-long legislative process.

**MiCA's limitations.** DeFi protocols are currently **out of scope** - MiCA only regulates centralized intermediaries (CASPs). If Uniswap is an autonomous smart contract with no operator, who should receive the license? NFTs are also largely excluded (except for "fractionalized" NFTs, which may qualify as financial instruments). The EU has planned a review of MiCA's scope to address DeFi and NFTs. The question is not "will DeFi be regulated" but "when and how".

Jurisdictions: The Global War for Crypto Companies

Cryptocurrencies are global - a single smart contract on Ethereum is accessible from any country in the world. But regulation is local. The result: **regulatory arbitrage** - companies register in the jurisdiction with the most favorable regime. Binance moved from China to Japan, from Japan to Malta, from Malta to effectively "no headquarters". Ripple considered moving from the US to the UK, Singapore, or Dubai. The choice of jurisdiction is a strategic decision that determines access to capital, banking, and legal risks.

**The USA** is the largest market, but with the most confusing regulation. The **SEC** considers most tokens securities and regulates through enforcement. The **CFTC** considers Bitcoin and Ethereum commodities and regulates derivatives. **FinCEN** requires AML compliance from money transmitters. The **IRS** taxes crypto income as property (capital gains). The problem: the SEC and CFTC have been arguing for years over who regulates crypto, and Congress cannot pass a unified law. The result - companies do not know the rules until they are sued.

**Taxation** is another factor in choosing a jurisdiction. In the US, crypto is taxed as property: every sale, exchange, or even buying coffee with BTC is a **taxable event** with a capital gains tax of up to 37% (short-term). Germany is at the opposite extreme: if you hold crypto for more than 1 year, profit is **completely tax-free**. Portugal until 2023 did not tax crypto profits at all - and became a magnet for crypto nomads, until it introduced a 28% tax. The UAE has a 0% income tax, attracting both traders and companies.

**Regulatory arbitrage is not always a salvation.** FTX incorporated in the Bahamas, counting on light regulation. When the exchange collapsed in November 2022, it was revealed: $8B in user funds had been commingled with Alameda Research money, bookkeeping was done in QuickBooks (software for small businesses), and the Bahamian "regulator" lacked the resources to supervise a company with $32B in turnover. Light regulation attracts not only innovative companies but also fraudsters - and when everything collapses, victims are left without protection.

**The future: global coordination.** FATF sets AML standards for 200+ countries, but crypto regulation remains fragmented. **IOSCO (International Organization of Securities Commissions)** published recommendations for crypto markets in 2023 - but they are not binding. **FSB (Financial Stability Board)** is working on global standards for stablecoins. The question: is a "unified" crypto regulation even possible if countries compete for crypto companies? Singapore, Dubai, and Switzerland are not interested in harmonizing with the stricter American approach - lighter regulation attracts businesses and a tax base.

**CBDC (Central Bank Digital Currency)** - central banks' answer to the crypto threat. 130+ countries are researching CBDCs, 11 have already launched (including Nigeria, the Bahamas, and Jamaica). China has been testing the **digital yuan (e-CNY)** since 2020: 260 million wallets, $250B in transactions. The EU is developing a **digital euro** (launch ~2027). CBDCs are not crypto: full central bank control, the possibility of programmable restrictions (money with an expiry date, prohibition on certain purchases), no privacy. For governments, a CBDC is an alternative to stablecoins without the risks of private issuers like Tether.

Key Takeaways

• **KYC/AML** is the foundation of crypto compliance. The FATF Travel Rule requires identification for transfers from $1,000-$3,000. On-chain analytics (Chainalysis, TRM Labs) covers what the Travel Rule cannot: DeFi, unhosted wallets, peer-to-peer. OFAC sanctions against Tornado Cash showed: code cannot be stopped, but the infrastructure around it can be paralyzed
• **The Howey Test (1946)** determines whether a token is a security: investment of money + common enterprise + expectation of profit + from efforts of others. SEC vs Ripple created a precedent of 'contextual classification': the same token can be a security under some circumstances and not-a-security under others. STO and Reg D/S/A+ are the legal path for tokenized securities
• **MiCA** - the first comprehensive crypto law (EU, 2024). Three categories: EMT (single-currency stablecoins), ART (basket-pegged), others. A CASP license provides passporting to 27 countries. USDT was delisted for failing to meet EMT requirements. DeFi is currently out of scope - but a review is inevitable
• **Jurisdictions** compete for crypto businesses: Switzerland (clarity + crypto banks), Dubai (0% tax + VARA), Singapore (strict but predictable MAS). The US is the least attractive due to the SEC/CFTC turf war and the enforcement-first approach. Regulatory arbitrage works - but FTX in the Bahamas showed that 'light' regulation does not protect users
• Sanctions against Tornado Cash shattered the myth of unregulatable DeFi - and the lesson started with a question: can you regulate something created to be unregulated? The answer: code cannot be deleted, but the ecosystem around the code - stablecoins, RPC, frontends, developers - can be fully controlled

Related Topics

Regulation connects governance, stablecoins, token standards, and wallet infrastructure:

• DAO: Decentralized Governance — DAOs have no legal status in most jurisdictions - Wyoming (2021) was the first to recognize DAOs as LLCs. Governance tokens may be classified as securities under the Howey Test. MiCA does not yet regulate DAOs, but a review is planned
• Stablecoins — MiCA introduced strict requirements for stablecoins (EMT/ART): e-money license, 100% reserves in EU banks, right of redemption. USDT was delisted from the EU, USDC obtained a license. OFAC's freeze of USDC at Tornado Cash addresses demonstrated the centralization risk of stablecoins
• ERC Standards — Security tokens use ERC-1400 (compliance-ready) instead of regular ERC-20: whitelisting, forced transfers, document management. ERC-3643 is the standard for tokenized securities with on-chain identity verification
• Wallets and Keys — The Travel Rule distinguishes 'hosted' (custodial, on an exchange) and 'unhosted' (non-custodial, personal) wallets. The EU is considering a KYC requirement for transfers to unhosted wallets exceeding €1,000. Self-custody is the last line of privacy that regulators are trying to restrict

Вопросы для размышления

• OFAC sanctioned code (Tornado Cash), and the developer received 5 years in prison for writing open-source software. Should developers be held responsible for how their code is used - or is this equivalent to punishing a knife manufacturer for a murder?
• MiCA requires stablecoins to hold 100% reserves in EU banks. This protects users from situations like Tether (opaque reserves) - but also means that no decentralized stablecoin (DAI, FRAX) can be fully compliant. How do you regulate stablecoins without killing innovation?
• Switzerland, Dubai, and Singapore compete for crypto companies with light regulation, and FTX in the Bahamas showed that light regulation does not protect users. Is a balance between attracting business and protecting investors possible - or is this a zero-sum game?

Связанные уроки

• sec-01