Regulation of Crypto – Fostering an Emerging Industry Through Legacy Frameworks

The crypto industry is evolving rapidly, and keeping up with the constantly evolving regulatory landscape around the nascent industry is not for the faint of heart. It becomes especially challenging, as crypto represents a global phenomenon that blurs the lines between different jurisdictions and stakeholders.

This post provides an overview of the technology and serves as an introduction to the regulatory developments within the crypto space.

Blockchains are data structures that allow data to be stored in a transparent and decentralised manner. This post purposely excludes enterprise/private blockchains, and focuses on open blockchain networks (crypto networks) that are not controlled by any central authority.

The Regulator’s Dilemma

With crypto, regulators globally are yet again faced by the challenge of regulating a global, fast-paced industry – this Regulator’s Dilemma is a consequence of high-growth technology companies being built in an environment of slow-to-change legacy frameworks. We have previously witnessed the clash of these two extremes, e.g. when ride sharing and data gathering were introduced as novel business models.

Often, in cases of groundbreaking innovation, the approach of regulators is to either (i) remain neutral, (ii) apply existing and/or new legislation, or (iii) ban the activity related to the new technology.

The Regulator’s Dilemma stems from the trade-off between permitting and promoting innovation while simultaneously ensuring fair markets, protecting consumers, and preventing criminal activity. Moreover, the global nature of a technology puts pressure on regulators of economically and politically influential markets, as the rest of the world waits for them to introduce harmonised industry-wide standards.[1]

Initially, the very same attributes that raise the interest of early adopters of a novel innovation (anonymity, digital cash, fundraising on steroids etc.), also attract fraudulent actors who are able to benefit from the immaturity and unregulated nature of the industry. This regulatory uncertainty is often mitigated by the fact that forward-looking stakeholders have incentives to collaborate and issue self-regulation[2] and best practices, in order to stand out from fraudulent actors. Eventually, these best practices develop into industry-wide standards.

What and Who Are We Regulating?

Stateless vs. Stateful Protocols

In order to meaningfully regulate an emerging industry, it is essential to understand the core tenets of its underlying technology.

Crypto networks are protocols that represent the next generation of internet protocols.

A protocol sets a standard for communication between computers. The internet as we know it is made up of a suite of stateless protocols.  By being stateless, a protocol is only able to transmit data but not store it – this immediately presents a problem for usability, as you are only able to send copies over the internet. The reason all messages are copies is because stateless protocols cannot record the activity happening in the protocol – they cannot detect whether the same message has been sent multiple times.

Take the SMTP (Simple Mail Transfer Protocol) for example, it provides the communication standard for computers wishing to exchange email messages. Without a user-facing application being built on top of the SMTP protocol (such as Gmail), it would be impossible for the user to keep track of what has been sent to whom and when.

That is to say, stateless protocols require stateful applications, with proprietary databases, to be built on top of them. These applications store a record of all user activity on their platforms – such as likes, shares, messages, etc. It is this history of user interactions that enables companies like Google and Facebook to provide their users an order of magnitude better user experience (UX). It is also this history of user interactions that has made these companies incredibly valuable.

Crypto protocols, however, differ from early web protocols in that they are stateful, which means that they are able to both transmit and store data. This new data storing capability enables crypto protocols to capture much of the value previously captured by companies like Google and Facebook.

Take the Bitcoin protocol as an example. It enables the exchange of unique messages. This means that a transaction in the Bitcoin protocol cannot be double-spent, as all transactions are recorded in the Bitcoin protocol and, therefore, duplicate transactions are automatically deemed invalid as already spent. It is this uniqueness that enables these protocols to transmit value, and as that value is now transmitted in the form of digital messages, it can also be programmed.[3]

These messages can be made arbitrarily complex. They can be encoded to contain much of the exact same business logic or transaction workflow (‘if A, then B, else C’) previously provided and monetised by applications built on top of stateless protocols.

Companies Become ‘Lighter’

The execution of business logic is coordinated more efficiently by a protocol than a single company.

As a result, the execution of business logic migrates from applications to their underlying crypto protocols. Since it is this same business logic that the large incumbent tech companies have previously monetised on, much of the value capture will likewise move from the applications to the underlying crypto protocols.

In order to access this value creation, one needs to purchase and own tokens native to these crypto protocols. The ownership (which is not possible for our current internet protocols) of crypto protocols is represented through their native tokens. Additionally, these tokens serve as the incentive and coordination mechanism for the development and maintenance of these protocols.

As much of the value capturing activity is moved down to the protocol level, the business model for user-facing companies or applications will shift to focus even more on improving the UX for their end users. Companies will eventually become lighter UI clients that tap into the functions and liquidity provided by the underlying crypto protocols.

Who Should We Regulate?

A crypto protocol is developed by a decentralised community of contributors. In the early stages of a protocol’s lifecycle, it is owned and maintained by the core developers and a small group of early adopters. As the protocol develops, it should attract participants globally.

From a regulator’s point of view, identifying the participants who should be held legally responsible for the activity of the crypto protocol becomes more difficult over time. When a protocol is up and running and governed by a global and decentralised community of contributors, it encompasses multiple jurisdictions and stakeholders, making it a nightmare for regulators.

It is partly for this reason that the regulators in the US have been of the opinion that as long as a crypto protocol is dependent of a dedicated core team in the development of the protocol, its tokens should be subject to customary securities laws. Once the protocol passes a certain level of decentralisation, its tokens should no longer be deemed as securities and become freely tradable on the open market.

Although, it is still too early to say that this line of reasoning would be broadly applicable to all crypto protocols. The classification of different crypto protocol tokens is something I will touch upon more thoroughly in my next blog post.

Companies that build their businesses on top of crypto protocols (see graph above) are subject to customary regulation as corporations. They are traditional companies registered with some local jurisdiction and have opted to replace their proprietary databases with crypto protocols. This category comprises plain UI companies, but also exchanges and custodians of crypto assets. These exchanges and custodians are responsible for implementing sufficient AML & KYC standards and processes, and depending on their jurisdiction, are obliged to obtain licenses or permits for their operations.

As is evident from this division, the companies or applications themselves are not the problem for regulators.

Instead, it is the crypto protocols that cause extreme headache for regulators and policy makers around the world. Regulating a phenomenon that enables value transfer across the internet is hard, especially since this activity is no longer governed by a clearly identifiable third-party but rather by a global and decentralised community of contributors.

Recent Developments and Future Outlook

Crypto is increasingly catching the interest of regulators globally. As more and more legacy institutions, such as Goldman Sachs, Intercontinental Exchange, and Fidelity are entering the space, we have witnessed a push for increased regulatory transparency and certainty among authorities globally.

Crypto as a phenomenon has not evolved in a silo. In order to fully understand the regulatory debate surrounding the industry, it is necessary to tie relevant market events to those regulatory decisions that have been made thus far:


In the US, the Securities and Exchange Commission (SEC) plays a substantial role in the public discourse around crypto. Decisions made by the SEC also actively shape the regulatory debate in the EU (and UK).  Both the European Banking Authority (EBA) and the European Securities and Markets Authority (ESMA) – in addition to several member state FCAs – have finally taken a stance on crypto and are engaged in forming new regulatory initiatives to enable the development of common standards for European companies operating in the crypto space.

Regardless of the uncertain and rocky road ahead, we can be certain that a unified regulatory framework, which will unleash the full potential of crypto, will become a reality – probably sooner rather than later. The increasing momentum of market forces will eventually lead to a sound and unified regulation of the crypto industry.

For comments, questions or further discussion, please contact me at aleksis.tapper@castren.fi 


[1] For example, US based companies decided to conduct their ICOs in jurisdictions outside the US and prohibited their offerings from being marketed to US consumers due to the lack of clear regulation of ICOs in the US.