Despite an Ever-Shifting Regulatory Minefield, Enterprise Blockchain Projects Find a Way to Tip Toe Forward
Despite significant regulatory uncertainty when it comes to cryptocurrency and blockchain laws in the US, enterprises have little choice but to lean into the technology’s disruptive potential. Either that, or risk disruption.
By William Van Winkle
Published:March 31, 2023
12 min read
In this Article
- The United States Congress has indicated on multiple occasions that laws regarding blockchain and cryptocurrency are on the way. But beyond the rhetoric, the US federal government has remained in a state of nearly total gridlock when it comes to putting any bills on the desk of the US President for signature.
- Absent such laws, agencies such as the Securities and Exchange Commission (SEC) and the Commodities Futures Trading Commission (CFTC) have been left to battle each other for regulatory jurisdiction over digital assets, relying primarily on older laws that were drafted for different classes of assets and financial instruments.
- Amid significant ambiguities, the SEC is beginning to draw blood as it begins a variety of enforcement actions against companies it believes to be in violation of securities laws.
- Between the highly intimidating activities of the SEC and the long-term regulatory uncertainty when it comes to cryptocurrencies and blockchain, enterprises are in a catch-22. Should they tip-toe through the minefield and move forward with their blockchain aspirations before they’re outmaneuvered by other blockchain plays? Or should they hold their current position and wait for the dust to settle?
- Experts say the only choice is to move forward.
In our prior coverage on securities and commodities, we surveyed the current regulation landscape surrounding blockchain and Distributed Ledger Technologies (DLT). In short, governmental regulation around the world, and particularly in the US, has yet to catch up to the rapid changes happening in the “crypto” space. This has left regulators to rely on decades-old laws and guidance (such as the Howey Test for securities) as a means for assessing 21st-century instruments and practices. The situation is akin to regulating automobile traffic with laws made for the horse-drawn era. Many laws might sensibly carry over; some will not suit at all.
But which laws apply to the DLT space and what guidance are regulators offering to enterprises versus industry players like Coinbase, which is now apparently in the Security and Exchange Commission’s (SEC) crosshairs? Definitive answers are few and far between. The SEC’s Gary Gensler offers statements to the press and continues to pursue enforcement, but SEC officials do not make laws. That’s Congress’ job, and it’s a fair bet that the typical member of Congress is considerably further behind the DLT awareness curve than the SEC.
In the absence of new crypto-centric laws, enterprises have a dilemma: avoid crypto altogether or make a good-faith effort to comply with old laws while sailing boldly into uncharted regulatory waters. As we’ve indicated before, our stance at Blockchain Journal is that doing nothing is a poor strategy for growth and competitive advantage (or simply to fend off disruption). Deloitte, the IT consultancy which has four practices dedicated to blockchain (tax, consultancy, audit, and advisory), is similarly aligned to that view. At the 2023 edition of DC Blockchain Summit where blockchain and cryptocurrency regulation was the agenda's main theme, Deloitte blockchain consultancy leader Wendy Henry told Blockchain Journal editor-in-chief David Berlind "You can’t just sit on the sidelines and wait for everyone to figure this out. You’ll be left behind.”
Meanwhile, there are few signs of regulatory clarity emerging for DLTs in the near future. (Skeptics might argue that the US government has financial incentives not to provide such clarity, as doing so might legitimize cryptocurrency and undermine the US dollar’s position.) How, then, should enterprises move forward with DLT in a conservative, responsible manner that’s unlikely to arouse regulatory repercussions?
What is Self-Regulation?
Gabriella Kusz, CEO of the Global Digital Asset and Cryptocurrency Association (Global DCA), is no fan of the “wait-and-see” approach.
“How long are you going to wait for people to regulate you before you realize that you are the only one who has the expertise, ability, and knowledge to regulate effectively and to do it from a standpoint of consumer protection and market integrity?” she asks. “People often look to others to solve their problems instead of understanding that, ultimately, they’re the ones who have always had the capacity to solve the problems. If regulators don't have the capacity to regulate a space effectively, maybe stop yelling at them and start taking action to regulate yourself.”
Self-regulation involves proactively identifying and addressing potential compliance risks before they become regulatory violations. This may include conducting regular audits and risk assessments to identify areas of non-compliance, implementing policies and procedures to mitigate those risks and monitoring compliance with regulatory requirements. Conventional regulatory bodies may be able to address many of these facets, but they’re unlikely to keep pace with such a fast-moving field as DLT.
To address the gap between the ideals and practicalities of governmental regulation, Kusz and the Global DCA advocate for public-private partnerships in which enterprises marry their industry expertise with the enforcement authority of government regulators. Rather than the industry operating in its own vacuum, Kusz believes that regulators should “provide the structure within which a self-regulatory mechanism should exist.”
To this end, self-regulation can leverage industry-oriented, decentralized tools to help provide accountability and auditability. Kuzs points to proof of reserves (PoR) as one such tool. PoR offers an independently verifiable and publicly visible means to ensure that an organization actually holds the assets it purports to have. However, PoR doesn’t necessarily map well to traditional structures like banking, where a fractional reserve system allows institutions to lend more capital than they hold. Thus, regulators who might normally look to centralized finance (CeFi) practices for guidance might do well to let industries and enterprises that embrace DLT provide their own accepted, transparent methods for preserving trust and accountability.
Kusz offers another interesting view on self-regulation: a principles-based approach that spotlights the almost philosophical difference between the Commodities Future Trading Commission (CFTC) and the SEC. Whereas the SEC emerged as a rules enforcement agency following the speculation and corruption that preceded the Great Depression, the CFTC emerged to help foster responsible trading within an emergent industry. The SEC, she says, uses regulations to establish a “you cannot do this, and you cannot do that” checklist, whereas the CFTC focuses more on the spirit than the letter of regulations. This latter approach, argues Kuzs, lends itself better to the self-regulation of DLT projects.
Self-regulation can deliver a host of benefits, including greater flexibility in meeting business goals, improved operational efficiency (especially in reducing the costs associated with compliance management), and minimization of regulatory compliance actions. Essentially, enterprises can make an educated guess about what regulators want, even without legal clarity, and proactively address compliance risks. All of this, in turn, can publicly demonstrate a commitment to self-regulation and ethical business practices that may enhance a company's reputation among customers, stakeholders, and regulators.
“We’re in a space with a high degree of ambiguity, complexity, volatility, and uncertainty,” says Kusz, “but we can still identify what is known versus unknown. You can begin by aligning with the knowns.”
Keep in mind that self-regulation is not a substitute for regulatory compliance. Companies must still comply with all applicable laws and regulations once clarity and precedent have been established. However, self-regulation can complement existing regulatory frameworks and put enterprises further down the path to successful DLT implementation than they might have been with no such compliance effort.
Acoer: A Case Study in Self-Compliance
Faced with the potential uncertainties and extra work of attempting self-regulation for the sake of bringing a DLT project to fruition, many leaders might question if the prospect is worthwhile. Naturally, the answer is: It depends. As with any other technology initiative, adopting a DLT strategy can be pursued in myopic, misguided ways or for long-term growth aimed at helping people and fixing systemic flaws.
Georgia-based software developer Acoer took the second road. The company specializes in creating open, blockchain-enabled solutions for the healthcare market. According to CEO Jim Nasr, Acoer has spent years developing and refining its blockchain-based applications for a variety of use cases at a time when the need has never been greater.
“Why bother to bring in cryptography and a public ledger?” asked Nasr. “Why not just have a private database and an Excel spreadsheet? Because in finance and healthcare and other industries, it’s about siloed systems and data sources. Cash cow intermediaries milk the system and inflate the time and cost of everything. Blockchain technology lets us monitor all transactions—the entire data flow—so there is transparency, accountability, and auditability between all parties. It gives us the tools to fix what is undeniably a broken system.”
To illustrate, consider one of Acoer’s current client projects to improve so-called orphan drug development (drugs for rare diseases that meet certain criteria). The client needed to find patients who were afflicted with a highly uncommon form of pediatric cancer. With an underserved prospective sample base, there was a keen need for this research. However, the potential market was too small to support conventional outreach methods, which would be burdened by middlemen and intermediary costs. Acoer created a blockchain-based solution that used the client’s limited budget very efficiently, rewarded patient participants, and did everything possible in a self-regulatory fashion to steer clear of SEC and securities violations.
The solution hinged on token economics and transactions being recorded on an open, decentralized layer-one (L1) blockchain. According to Nasr, the specific L1 used for the solution is less important than its attributes of privacy, security, stable pricing, time to finality (real-time performance), and auditability, which its chosen L1 amply provides. (Nasr notes that no private data is kept on the public blockchain. If Acoer should ever need to switch to a different L1, it would entail little more from a technology perspective than switching over the API in its solution.) The “tokenomics” involve having a reserve of asset-backed stablecoin, USD fiat, or the L1’s native currency to pay transaction fees and reward patients for their participation. Acoer created a proprietary token backed by that reserve. The L1 native currency trades on the exchange market, but the proprietary token does not. The reserves (and the implied PoR) are in a USD-pegged stablecoin, and the underlying pricing structure is based on that stable pricing. The amount of proprietary token remains consistent.
To illustrate, assume that on March 1, Acoer minted 10,000 “Acoer” tokens on the underlying L1 blockchain. At the time of minting, the “value” of each token was $1 (USD), which is a stable value. Concurrently, Acoer also deposited $10,000 into a bank/escrow as PoR. Next, assume that by April 1, 1,000 Acoer tokens have been awarded to patients. (This is their incentive reward for participating in the study and completing certain tasks.) When those 1,000 Acoer tokens have been redeemed for $1,000 in total (on May 1, for example), then those 1,000 tokens are “bought back” and burnt, leaving only 9,000 Acoer tokens available and an equal $9,000 in the bank as PoR. By July 1, there might be 2,000 Acoer tokens left (and $2,000 in the bank for PoR), and the project may need more to continue operating. At that point, Acoer could provide, say, 5,000 additional Acoer tokens, then mint 5,000 new Acoer tokens, again with the stable price of $1 per token, and put $5,000 into the bank for PoR.
Throughout this process, participants only receive USD. The token serves as intermediary “plumbing” under the surface to connect the participant with the L1 blockchain. Token burns show proof of patient compensation (although payments are made after converting into USD, so the patient has no idea that crypto coins and tokens were ever involved) and form a transparent, publicly visible “paper trail” for auditing.
The tokenomics were specifically designed to ensure that coin values tied to the underlying L1 chain at any point in time were entirely inconsequential. The integrated price stability aspects made sure of that. The proprietary token contained no value beyond utility value within the solution—and, as we’ve seen, utility tokens are not currently treated by US authorities as securities. Thus, Acoer devised a DLT solution beyond the conventional bounds of financial instrument regulation but exercised self-regulation with an intent to conform to current conventions and expected future regulations.
Nasr describes Acoer’s tokenomics approach as being “highly conservative.”
“In certain cases, I’ve walked away from clients because they wanted to take on a much riskier deflation model. We just don’t want to associate our name with that.”
Additionally, Acoer uses the L1 blockchain in conjunction with independently verified PoR for the research funds escrowed by the client. So, if the client promises that they have allocated $100,000 for a patient research project, those funds can be publicly examined and all withdrawals seen and verified at any time. Those L1 transactions also cross-link to (anonymized) data flows, so auditors can verify that payments are tied to actual data derived from patient research. This level of transparency is shunned if not logistically impossible with traditional healthcare research methods.
“This use model probably wouldn’t be as needed for research in a very common, large drug space,” says Nasr. “But orphan drug development is very costly, and it’s difficult to reach the underserved communities’ researchers who are trying to help. It’s not uncommon that after four or five years of research approaches, researchers get to a point where they find out they’ve been pursuing a duplicate study because of industry opacity. There’s no transparency, no auditability. This is why we think that cryptography, public ledgers, transparent accountability, proof of action and data, and all the rest— can move the market and advance constructive solutions.”
Self-Compliance is Not For The Inexperienced
Jim Nasr was a chief software architect at the Centers for Disease Control and Prevention (CDC) and, in addition to his work with Acoer, co-chairs an IEEE subcommittee on decentralized clinical trials. He has extensive knowledge of IT solutions and regulatory concerns in healthcare. Similar qualifications can be attributed to his Acoer executive colleagues. Together, they have extensive expertise in privacy and DLT. However, Nasr admits that this alone was not sufficient for self-regulation.
“In preparing our blockchain solutions, we talked at length with our attorney and our accountant. And I’ll be honest—we selected both of them after some misfires because of their specific crypto experience and relationships with others in the crypto space. We found that attorneys and accountants without that specific expertise can become very expensive while, frankly, delivering no results because they just don’t know enough. They’re not technical enough and don’t add value. They’re more likely to hand out blanket documents that leave you wondering how the material applies to your situation.”
By the same token, Nasr understands that some enterprises may not have the resources to procure the expertise necessary for prudent self-regulation. For such organizations, he recommends taking a close look at and potentially emulating some attributes of successful Decentralized Autonomous Organizations (DAOs).
“Almost by definition, credible DAOs have transparency,” he says. “They run on smart contract code and have probably figured out many regulatory concerns. See how they’ve handled innovation in your industry, particularly around areas such as privacy preservation, treasury management, and tokenomics. Look at how they impute governance on their solutions. Those observations can be very helpful as a starting point for self-regulation and a strong place to begin a conversation with your attorney or advisor of choice. Don’t just start with a blank page.”
In a similar vein, enterprises that are pursuing self-regulation should be mindful of best practices that transcend industries. Global DCA’s Kuzs points to a need for a broader, deeper commitment to due diligence, and she points to the FTX collapse as a case in point.
Some organizations considered relationships with FTX but walked away once too many red flags appeared. Others failed to understand FTX’s leadership team, its capabilities, and that team’s decisions. Kuzs suggests that those who rejected FTX often did so because their due diligence teams were sufficiently “competent and capable on the subjects of blockchain and digital assets.” Companies that lack such expertise remain at far higher risk of making rational, constructive investment decisions. In the case of FTX, this meant an investment of capital, but, more broadly, the same could be said of investment of resources into DLT applications, organizations, and token projects.
“Firms that have been trying to align from a legal and regulatory standpoint have brought on board leadership that combines financial as well as technological expertise, people who understand the emerging digital asset space as well as traditional financial governance, internal controls, processes, and procedures,” says Kuzs. “Groups that have blended these two levels, and maybe another one or two besides, that's who’s going to stand and move forward. Those are the ones more likely to allocate capital into projects that have utility value and economic opportunity.”
Ultimately, the question of self-regulation often comes down to a “chicken-and-egg” problem. Doing self-regulation well comes from experience, but good experience comes from doing self-regulation well. Fortunately, blockchain technologies and solutions have reached a level of maturity such that trustworthy resources should be available, although likely not (yet) abundant. Instances of effective self-regulation in one industry can inform directions and decisions in similar and/or related industries. Specific applications will have their own regulatory concerns (such as HIPAA compliance specifically within healthcare), but many principles can be carried across fields. While waiting for regulatory clarity on DLT implementations, enterprises can move forward with innovative DLT solutions backed by informed, responsible self-regulation.