I INTRODUCTION TO THE LEGAL AND REGULATORY FRAMEWORK
As a globally recognised financial centre with international outreach, Luxembourg has positioned itself as a world leader in the sphere of digital financial services and as a financial technology hub.2 It was the first country in Europe to license virtual currency exchange platforms as payment institutions.
On 19 April 2016, the Minister of Finance authorised Bitstamp Europe SA, a platform allowing its clients to exchange Bitcoins, euros and US dollars. If the issuing of virtual currencies as such is not subject to authorisation, the service provided by the intermediary – receiving funds from the buyer of Bitcoin in order to transfer them afterwards to the seller – is covered by the authorisation as a payment institution. This authorisation echoed the opinion of the CSSF (Luxembourg's supervisory authority for the financial sector), which in 2014 was the first regulator of the financial sector that was in favour of the regulation of platforms for the exchange of virtual currencies when exercising an activity of the financial sector.3 In a press release dated 14 February 2014, the CSSF considered that activities such as the issuing of means of payments in the form of virtual or other currencies, the provision of payment services using virtual or other currencies, and the creation of a market (platform) to trade virtual or other currencies, are to be defined as being financial activities, and that any person wishing to establish in Luxembourg in order to carry out such an activity has to receive a ministerial authorisation. bitFlyer, a Japanese virtual currencies exchange platform, was granted a licence in January 2018.
A consumer warning on virtual currencies issued by the CSSF on 14 March 2018 recalls this position by asserting that, even though there is currently no legal framework in Luxembourg that specifically applies to virtual currencies, it should be borne in mind that any provision of financial sector services by a natural or legal person requires an authorisation by the Minister of Finance.4
In another consumer warning on initial coin offerings (ICOs) and tokens, issued on the same date, the CSSF acknowledges that raising funds from the public in the form of initial coin offerings (ICOs) is not subject to a specific regulation, and does not benefit from any guarantee or other form of regulatory protection. The CSSF considers further that despite the lack of specific regulations applying to ICOs, the activities related thereto or relating to the creation of tokens, the collection and raising of funds may, depending on their characteristics, be subject to certain legal provisions and thus to a number of supervisory requirements.5
The CSSF specifies in the warning that it will:
assess such fundraising activities by extending its analysis to the objectives pursued in order to assess whether it could be a scheme to circumvent or avoid financial sector regulations, notably the provisions of the Law of 10 July 2005 on prospectuses for securities and the Law of 5 April 1993 on the financial sector. The CSSF considers that for any fundraising, the initiators of such ICOs are required to establish anti-money laundering and terrorist financing procedures.
II SECURITIES AND INVESTMENT LAWS
In its warning on ICOs, the CSSF has not provided for a classification of tokens or cryptocurrencies underlying ICOs as financial instruments or otherwise. The CSSF at the same time acknowledges that this type of activity might be subject to supervisory requirements in Luxembourg.
The CSSF warning is in line with the European Securities and Markets Authority (ESMA) position on ICOs.6 ESMA also considers that firms involved in ICOs must give careful consideration to whether their activities constitute regulated activities. If this is the case, firms have to comply with the relevant legislation, and any failure to comply with the applicable rules would constitute a breach.
Actors who would like to provide services related to tokens, be it dealing with tokens or publicly offering those tokens within a regulated financial framework, should be allowed to do so as long as all applicable legal requirements are fulfilled.
According to an ESMA paper dated November 2017, the features and purpose of coins or tokens vary across ICOs. Some coins or tokens serve to access or purchase a service or product that the issuer develops using the proceeds of the ICO. Others provide voting rights or a share in the future revenues of the issuing venture. Some have no tangible value. Some coins or tokens are traded or may be exchanged, or both, for traditional or virtual currencies at specialised coin exchanges after issuance.7
ICO campaigns are conducted online, using the internet and social media. The coins or tokens are typically created and disseminated using distributed ledger or blockchain technology. ICOs are used to raise funds for a variety of projects, including but not limited to businesses leveraging on a distributed ledger. Virtually anyone who has access to the internet can participate in an ICO.8
Commonly, three different types of tokens can be identified within an ICO context.9
Payment or cryptocurrency tokens are tokens that are intended to be used, now or in the future, as a means of payment for acquiring goods or services, or as a means of money or value transfer. Cryptocurrencies give rise to no claims on their issuer.10 Payment tokens are subject to the Law of 10 November 2009 on payment services.11
Utility tokens do provide access digitally to an application or service by means of a blockchain-based infrastructure.12
Asset tokens are representing assets such as a debt or equity claim on the issuer. Asset tokens promise, for example, a share in a future company's earnings or future capital flows. In terms of their economic function, therefore, these tokens are analogous to equities, bonds or derivatives. Tokens that enable physical assets to be traded on a blockchain also fall into this category.13
Taking as a starting point the CSSF's warning on ICOs, and in particular the statement that asset tokens might be subject to regulatory supervision in line with the position taken by several European countries with regard to ICOs,14 it is our view that, depending on the nature of the token, an ICO could fall, among others, within the remit of the Law of 5 April 1993 on the financial sector, the Law of 30 May 2018 on markets in financial instruments, the Law of 17 December 2017 relating to undertakings for collective investment and the Law of 10 July 2005 on prospectuses for securities.
We therefore consider that asset tokens need to be analysed with respect to the notion of financial instruments and the laws and regulations applicable thereto.15 Depending on the structure of a token, the latter may qualify as a transferable security, a unit in a collective investment undertaking or a token could serve as the underlying asset for a derivative contract.
i Transferable security
The Law of 30 May 2018 on markets in financial instruments16 defines transferable securities as those classes of securities that are negotiable on the capital market, with the exception of instruments of payment, such as:
- shares in companies and other securities equivalent to shares in companies, partnerships or other entities, and depositary receipts in respect of shares;
- bonds or other forms of securitised debt, including depositary receipts in respect of such securities;
- any other securities giving the right to acquire or sell any such transferable securities or giving rise to a cash settlement determined by reference to transferable securities, currencies, interest rates or yields, commodities or other indices or measures.
According to this definition, if a token is transferable, negotiable and embodies certain rights, it can prima facie be defined as a security:
- with regard to transferability, the Finance Working Group of the Blockchain Bundesverband considers in its statement17 that transferability means that units can be assigned to another person, irrespective of the existence or not of a certificate that registers or documents the existence of the units. These concepts can be applied mutatis mutandis for Luxembourg. The important point here is that the transfer can be made and registered without the need for a written document;18
- with regard to negotiability, such term needs to be analysed against the classical background of negotiability of securities. Securities are in particular negotiable when they are traded on exchanges or platforms;19 and
- as to the rights attached to the tokens, these need to be share-type rights, bond-type rights, or rights giving the right to acquire or sell such type of security or rights related thereto.
In our view, a three-factor test can be applied to tokens to determine whether it qualifies as a security:20
- the first factor is related to the economic rationale behind the issuing of the token. Why is the token issued? What is the project behind? Is it a business or economic project? What is the objective of the issuer?
- the second factor is related to the rights of the token owner. Are these share-type or bond-type rights?
- the third factor is linked to the purpose of the buyer or seller. Why is he or she buying the token? Is the holder participating in the profits made? Does he or she have an interest in the economic and financial development of the company or the project?
We believe that this test will be relevant, and will assist in determining whether a token is a security. In practise, it could well be that the factors (b) and (c) coincide in many instances.
In our opinion, the investment substance has to be considered. If in substance a token corresponds to a security and produces effects similar to those of a security, it has to be regulated like a security.21 It should not be possible to argue that, because of the innovative character of tokens and due to their underlying technology, they would be exempted from complying with financial regulation, specifically but not only with regard to investor protection and anti-money laundering and counter-terrorism financing (AML/CTF) aspects.22
ii Unit in a collective investment undertaking
A token could also be structured in such a way as to qualify as a unit in an investment fund, as defined by the Law of 17 December 2010 relating to undertakings for collective investment. A token could also be based on or represent a unit in a collective investment undertaking.
iii Underlying asset for a derivative contract
In line with the ESMA paper, one of the conclusions of the qualification of tokens as financial instruments is that the firms involved in ICOs conduct regulated investment activities such as placing, dealing in or advising on financial instruments, or managing or marketing collective investment schemes.25
For instance, virtual currency exchange platforms that intend to allow trading of tokens, qualifying as financial instruments, on their platforms would need to be authorised as a multilateral trading facility under the law of 5 April 1993 on the financial sector.26
In conclusion, depending on the exact qualification of the token and on the financial service provided, the following regulations may apply:
- Law of 10 July 2005 on prospectuses for securities;
- Law of 5 April 1993 on the financial sector;
- Law of 30 May 2018 on markets in financial instruments;
- Law of 17 December 2010 relating to undertakings for collective investment;
- Law of 12 July 2013 on alternative investment fund managers; and
- Law of 12 November 2004 on the fight against money laundering and terrorist financing.
III BANKING AND MONEY TRANSMISSION
A money remittance business equivalent to a money services business (MSB) in the United States is regulated in Luxembourg by the Law of 10 November 2009 on payment services. Unlike MSBs in the US, Luxembourg payment institutions are fully regulated.27
IV ANTI-MONEY LAUNDERING
The Law of 12 November 2004 on the fight against money laundering and terrorist financing applies to tokens as soon as they fall under the scope of financial sector regulation.
Virtual currency exchange platforms also have to comply with the Law of 12 November 2004 on the fight against money laundering and terrorist financing, and more specifically with the requirements related to customer due diligence obligations, obligations of adequate internal organisation and the obligation to cooperate with the authorities.28
V REGULATION OF EXCHANGES
Virtual currency exchange platforms willing to establish in Luxembourg are required to obtain a licence as a payment institution. This requirement applies to platforms allowing for the exchange from virtual currencies to fiat currencies, and vice versa. It is important to highlight that only the fund flows that qualify as payment services are subject to regulation.
All legal requirements under the Law on payment services apply, meaning that exchange platforms will have to submit an application to the CSSF for authorisation as a payment institution. The Law on payment services furthermore requires that payment institutions, after having been granted the authorisation, need to comply on a permanent basis with the conditions for granting the authorisation, and to fulfil the reporting requirements to the CSSF.
i Authorisation procedure
According to the Law on payment services, no person other than a payment service provider shall be allowed to provide payment services in Luxembourg.
Like any payment institution, exchange platforms providing for virtual-to-fiat currency exchanges (and vice versa) willing to establish in Luxembourg will have to provide the CSSF with all the information required by law and listed in the application for authorisation form published on the CSSF website and implementing the European Banking Authority Guidelines.29
The authorisation form requires applicants to submit:
- identification details;
- a programme of operations;
- a business plan;
- the structural organisation of the business;
- evidence of the initial capital; and
- measures to safeguard the funds of payment services users.
Additionally, applicants have to submit to the CSSF:
- their governance and internal control mechanisms;
- their procedure for monitoring, handling and following up on security incidents and security-related customer complaints; and
- a process for the filing, monitoring and tracking of, and the restricting of access to, sensitive payment data and business continuity arrangements.
The form also requires the submission of:
- the principles and definitions applicable to the collection of statistical data on performance, transactions and fraud;
- a security policy document; and
- internal control mechanisms to comply with the obligations in relation to AML/CTF.
Furthermore, the CSSF shall require information on persons with qualifying holdings in the applicant in order to allow the CSSF to proceed to assess the identity and suitability of the directors and persons responsible for the management of the payment institution. The identity of the statutory auditors also has to be provided.
The CSSF application form requires that the information provided by applicants is true, complete, accurate and up to date, and that the applicants comply with all the provisions of the application form.
With regard to the level of detail of the information provided, it needs to be proportionate to the applicant's size and internal organisation, and to the nature, scope, complexity and risk of the services that the applicant intends to provide.
From a practical point of view, it needs to be emphasised that due to the innovative character of the services provided by virtual currency exchange platforms, specifically due to the distributed ledger technology underlying virtual currencies and the fact that pure virtual currency transfers are currently not monitored by public authorities within the EU, providers of those services should pay particular attention to information technology (IT) and AML/CTF risks, and in general the risks linked to their product.
ii Post-authorisation requirements
Once a licence is granted, virtual currency exchange platforms have to comply with the legal requirements set out by the Law on payment services on a permanent basis. Article 11 of the Law requires that, in order to ensure the sound and prudent management of a payment institution, it shall dispose for the performance of payment services of a robust internal governance arrangement that includes:
- a clear organisational structure with well-defined, transparent and consistent lines of responsibility;
- effective processes to identify, manage, monitor and report the risks they are or might be exposed to; and
- adequate internal control mechanisms, including sound administrative and accounting procedures as well as control and security arrangements for information-processing systems.
The arrangement, processes and mechanisms shall be comprehensive and proportionate to the nature, scale and complexity of the payment services provided by the payment institution.
Several CSSF circulars further define the obligations of a payment institution while operating in and out of Luxembourg.
Specific emphasis needs to be given to the requirement regarding entities' central administration. According to CSSF circular 95/120, a payment institution must not only have a registered office in Luxembourg, but also has to have its central administration, including its decision-making centre and its head office, in Luxembourg. The circular also explicitly requires that the persons responsible for the management, and the managers of various business and administrative functions or the various departments or divisions existing within the institution, in principle have to be permanently present on site as a matter of principle.
CSSF circulars also clarify the legal requirements with regard to the administrative and accounting organisation of a payment institution, as well as its internal control and compliance functions, and outsourcing requirements.30
Particular attention needs to be paid by exchange platforms to the circulars relating to institutions' IT security and the security of internet payments. Payment institutions are authorised to use cloud computing resources provided by an external cloud services provider to run their business.31 For all practical purposes this is important because most, if not all, exchanges rely on cloud solutions.
Payment institutions must provide periodic reports to the CSSF: CSSF circular 11/511 refers to the periodic reporting scheme for payments institutions.
After the end of the financial year, a short-form report as well as the final version of the periodic reporting tables and the internal audit and control reports have to be submitted to the CSSF. One month after the ordinary general meeting, a long-form audit report has to be submitted to the CSSF with a number of other corporate documents.
The compliance of payment institutions with all the requirements set out above is assessed in the context of the off-site prudential supervision and is subject to regular on-site inspections.
VI REGULATION OF MINERS
There are no specific licensing requirements for miners under Luxembourg law. However, if a miner exercises its activities in a professional way, he or she would have to apply for an ordinary business licence and hence be considered as a professional service provider.
VII REGULATION OF ISSUERS AND SPONSORS
As set out and discussed in Section II, if ICO tokens qualify as financial instruments, the firms involved in ICOs are conducting regulated financial activities in Luxembourg and therefore need to comply with relevant regulations.
An issuer of a token qualifying as a financial instrument will, for instance, be required to publish a prospectus according to the Law of 10 July 2005 on prospectuses for securities. Additionally, as of July 2018/July 2019, the European Prospectus Regulation will be applicable.32
In this context, it is worth mentioning that, as of 21 July 2018, the Prospectus Regulation exempts security offers to the public with a total consideration in the European Union of less than €1 million, calculated over 12 months from the obligation to publish a prospectus.33 The European legislator indeed considers that the costs of producing a prospectus are likely to be disproportionate to the envisaged proceeds of the offer.34
An additional exemption may apply, as the Prospectus Regulation offers Member States the option not to require the publication of a prospectus for offers of securities to the public not exceeding €8 million over a 12-month period, but only to the extent such offering is limited to one single Member State and such offerings shall not benefit from the passporting regime.35
Other exemptions shall also apply as of 21 July 2019. They relate, for example, to:
- offers made to qualified investors, or offers addressed to fewer than 150 persons per Member State (other than qualified investors);
- offers of securities whose denomination per unit amounts to at least €100,000; or
- offers addressed to investors who acquire securities for a total consideration of at least €100,000 per investor for each separate offer.36
Issuers will have to comply with the Law of 12 November 2004 on the fight against money laundering and terrorist financing.
Additionally, ordinary civil and commercial law provisions will apply to issuers.
VIII CRIMINAL AND CIVIL FRAUD AND ENFORCEMENT
Most, if not all, of the laws referred to in this chapter contain provisions on enforcement carrying administrative as well as criminal sanctions. Ordinary civil, consumer protection, commercial and criminal law can also be applied in the context of fraud and enforcement.
Regarding direct taxation, the tax administration issued a circular on 26 July 2018,37 the essential parts of which can be summarised as follows:
- virtual currencies are intangible assets for accounting and tax purposes;
- professionals mining or selling virtual currencies are subject to ordinary taxation; and
- in a non-professional environment, profits made through transactions whereby a virtual currency is exchanged against another currency (fiat or virtual), or whereby a virtual currency is used to pay for goods or services, are subject to taxation under the rules applying to speculation profits if the virtual currency transferred has been held for less than six months.
For indirect taxes, financial services are, in line with well-established EU law principles, not subject to VAT. The exchange of fiat currency against virtual currency itself shall not be subject to VAT as per the Hedqvist ruling of the European Court of Justice.38
X OTHER ISSUES
This section analyses tokens in an electronic money context.
If a token corresponds to the definition of electronic money – that is, in substance it is a monetary value represented by a claim on the issuer, which is electronically stored and issued on receipt of funds for the purpose of making payment transactions, and is accepted by a natural or legal person other than the issuer – the latter would have to apply for an e-money licence.39
Tokens backed by fiat currencies and designed solely in a way to be used as a payment instrument would fall under the remit of this definition.
The licensing process applicable to e-money issuers is similar to the process applicable to applicants for a payment institution licence.40 Just like payment institutions, e-money institutions have to comply with the legal requirements set out by the Law on payment services on a permanent basis. CSSF circulars clarify the legal requirements.
XI LOOKING AHEAD
With distributed ledger technologies and cryptocurrencies here to stay,41 since 2014 Luxembourg has shown its capacity to innovate in the sphere of FinTech. We firmly believe that Luxembourg will also become an EU hub for regulated token offerings in the future.
1 Jean-Louis Schiltz is the senior partner and Nadia Manzari is a partner at Schiltz & Schiltz SA.
3 CSSF annual report 2016.
4 CSSF Warning regarding Virtual Currencies of 14 March 2018.
5 CSSF Warning regarding initial coin offerings ('ICOs') and tokens of 14 March 2018.
6 ESMA statements of 13 November 2017 ESMA 50-157-828.
9 Swiss Financial Market Supervisory Authority (FINMA) Guidelines for enquiries regarding the regulatory framework for initial coin offerings (ICOs) of 16 February 2018.
11 Law of 10 November 2009 on payment services, on the activity of electronic money institution and settlement finality in payment and securities settlement systems – as modified by the law 20 July 2018.
12 Swiss Financial Market Supervisory Authority (FINMA) Guidelines for enquiries regarding the regulatory framework for initial coin offerings (ICOs) of 16 February 2018.
14 Germany Bundesanstalt für Finanzdienstleistungsaufsicht (BaFin) advisory letter WA 11-QB 4100-2017/
0010, France Draft Law 'Relatif à la croissance et la transformation des entreprises' dated 19 June 2018, FINMA Guidelines for enquiries regarding the regulatory framework for initial coin offerings (ICOs) of 16 February 2018.
15 Article 1 (19) of the law of 5 April 1993 and Annex II Section B of the same law.
16 Article 1 Paragraph 55 implementing Article 4 1) 44 of Directive 2014/65/EU of the European Parliament and of the Council of 15 May 2014.
17 Finance Working Group of the Blockchain Bundesverband Statement on Token Regulation with A Focus On Token Sales.
18 This is in line with Luxembourg law, which largely recognises unmaterialised securities, the Law of 1 August 2001 and the Law of 6 April 2013 on dematerialised securities.
19 See also BaFin advisory letter WA 11-QB 4100-2017/0010, which considers that 'trading platforms for cryptocurrencies can, in principle, be deemed financial or capital markets within the meaning of the definition of a security'.
20 Similar to the Howey Test created by the US Supreme Court for determining whether certain transactions qualify as investment contracts. See ICOs and financial regulation, presentation by Jean-Louis Schiltz at the Bourse de Luxembourg on 4 October 2017 and at the University of Münster on 7 November 2017.
21 This is in line with the FINMA approach, which, in assessing ICOs, looks at the economic function and purpose of the tokens that are issued. In other words, if it looks like a duck, swims like a duck, and quacks like a duck, then FINMA will treat it like a duck. So, using the duck test: payment tokens like Bitcoin or their newer cousins look like means of payment and are therefore subject to AML requirements. As asset tokens look like securities, they therefore fall under securities law. Keynote at the Swiss–UK Dialogue held on 13 March 2018 in London, Mark Branson FINMA Chief Executive Officer.
22 We fully agree with the FINMA approach. See Keynote at the Swiss–UK Dialogue held on 13 March 2018 in London, Mark Branson FINMA Chief Executive Officer.
23 Point (4), (9) or (10) of Annex II Section B of the Law of 5 April 1993 on the financial sector.
24 Germany BaFin advisory letter WA 11-QB 4100-2017/0010.
25 ESMA statements of 13 November 2017.
26 Article 24-9 of the Law of 5 April 1993 on the financial sector.
27 Which, as we understand, are basically subject to the Financial Crimes Enforcement Network requirements (i.e., AML/CTF) regulations.
28 See Section V.
29 Guidelines on the information to be provided for the authorisation of payment institutions and for the registration of account information service providers under Article 5(5) of Directive (EU) 2015/2366.
30 Circular IML 96/126, Circular IML 98/143 (as amended by Circular CSSF 04/155), Circular CSSF 04/155.
31 Circular CSSF 17/654 clarifies the regulatory framework governing IT outsourcing relying on a cloud computing infrastructure provided by an external provider.
32 Regulation (EU) 2017/1129 of the European Parliament and of the Council of 14 June 2017 on the prospectus to be published when securities are offered to the public or admitted to trading on a regulated market, and repealing Directive 2003/71/EC.
33 Article 1(3) of Regulation (EU)2017/1129.
34 Recital 13 of Regulation (EU)2017/1129.
35 Article 1 (3) of the EU Regulation 2017/1129 is a Member State option. The draft law 7328 aims at implementing this option into Luxembourg law.
36 Article 1 (4) of the EU Regulation 2017/1129.
37 Circulaire du directeur des contributions L.I.R. No. 14/5 – 99/3 – 99bis/3 du 26 juillet 2018.
38 Court of Justice of the European Union press release No. 128/15 Luxembourg, 22 October 2015, Case C 264/14 Skatteverket v. David Hedqvist. This is confirmed by Circular No. 787 of 11 June 2018 of the Direction de l'Administratio et des Domaines.
39 Article 1 (29) of the Law on payment services.
40 Article 24-1 et seq. of the Law on payment services.
41 Luxembourg Finance Minister Speech in Hong Kong dated 16 January 2018.