Why existing regulatory frameworks for securities don’t work for crypto

Here’s why IOSCO may be missing the mark on regulatory standards for crypto markets.



On 16 November 2023, the intergovernmental body of the world’s major securities regulators responsible for global standard-setting, the International Organization of Securities Commissions (IOSCO), published its final report on Policy Recommendations for Crypto and Digital Asset Markets (the Recommendations).

Published only three and a half months after the consultation period closed on 31 July 2023, the report takes a regulatory approach to crypto and digital asset markets that is “consistent with IOSCO’s Principles and associated standards for securities markets regulation” and contains 18 recommendations that consider both the primary market, or the issuers of crypto-assets, and the secondary market, crypto-asset service providers (CASPs) or the firms that undertake activities like the exchange or trading of crypto-assets.

Although outcomes such as market integrity, disclosure, honesty, and the combatting of money laundering (ML) and terrorist financing (TF) are critical for all financial markets, there is an open question as to whether existing standards for securities market regulation achieve the outcomes we need for crypto. Here are some reasons they may not work.

Crypto doesn’t fit into existing categories

IOSCO’s recent report focuses on the substitutability of crypto-assets “vis-à-vis traditional financial instruments” and calls upon regulators to analyse the adequacy of their existing frameworks and consider the extent to which “crypto-assets are, or behave like substitutes for, regulated financial instruments”. The report also indicates that the recommendations “are designed to apply to all types of crypto-assets, including stablecoins.”

However, the issuance of crypto-assets can differ significantly from the issuance of regulated financial instruments or securities. The report fails to distinguish between different types of crypto-assets at the moment they are issued and on an ongoing basis as they evolve.

Certain crypto-assets issued for fundraising are similar to traditional financial instruments or securities. Like stocks or bonds, they are sold in exchange for money, and the issuer purports to use the money raised to finance a project. But what happens after the project is delivered and the crypto-asset is traded on secondary markets? Is it still securities-like?

In July, a United States judge applied the Howey test (a court decision upheld 77 years ago in 1946) to a case regarding the crypto-asset issuer Ripple. The judge ruled that the issued crypto-asset XRP can be a security and not a security simultaneously. If it’s sold to certain people where information has been disclosed, then it’s a security. If it’s sold to other people without the disclosure of information, it’s not a security. How can regulators efficiently regulate if it’s unclear which crypto-assets are within the scope of their jurisdiction? In this case, an existing framework applied to crypto-assets has only muddied the waters.

Utility tokens are not at all securities-like. Europe’s Markets in Crypto-Assets (MiCA) Regulation notes utility tokens are “designed to provide access to goods and services offered by their issuers.” They are purely functional and do not exist to provide purchasers with financial returns. For example, Filecoin is a crypto-asset that consumers use to participate in a decentralised file storage network. It is not financial in nature and does not represent ownership in the Filecoin project.

Stablecoins are currency-like tokens that have been issued specifically as a medium of exchange or a proxy for some other currency, asset or determinate value. When pegged to a fiat currency like USD, stablecoins may be more like a form of e-money than a security. In some cases, stablecoins are backed by a reserve of assets or a basket of different assets and, in other cases, they rely on smart contracts and the over-collateralisation of other crypto-assets to achieve stability. Different stablecoins come with different risks.

Fitting all of crypto into one existing category doesn’t work. Applying one set of rules to all types of crypto will not effectively mitigate risk because the risks are simply not all the same. Without clear categories, regulators can’t regulate, and courts can’t enforce outcomes-focused rules.

Categories will need to evolve to keep frameworks effective

Existing financial frameworks typically regulate secondary markets (in the case of the IOSCO Standards, CASPs) by relying on a set of categories for primary markets that define what is being traded or exchanged. For example, Europe’s MiCA has applied specific regulations to distinct categories of crypto-assets, such as asset-referenced tokens (ARTs) and e-money tokens (EMTs), and outlined exemptions for other categories such as utility tokens and crypto-assets that are free or used in a limited network of exchange. If a crypto-asset meets certain criteria and a service provider performs certain activities with it, then it’s a CASP that is subject to secondary market regulation. To some extent, this works, but only if you have solved the initial challenge of categorisation.

Like the Internet in the 1960s, Bitcoin and distributed ledger technology (DLT) are only 15 years old and still nascent. Back then, the World Wide Web had been created as a layer, an application sitting on top of the mechanics of the Internet. It was impossible to predict how it would develop. Similarly, we cannot predict how science, technology and innovation will evolve crypto-assets or even “securities-like” crypto-assets. If something is rapidly evolving, it is difficult to define and categorise. Regulating based on categories has failed before.

Prior to the 2008 financial crisis, we witnessed the burgeoning development of derivatives. In large measure, this exposed the weaknesses of a regulatory system which couldn’t keep up with these new products. Ultimately, some contributed to a credit crisis that nearly brought down the global banking system. Just as the existing system for securities could not adequately or sufficiently regulate new kinds of derivative assets, category-based frameworks for crypto-asset markets will be continually challenged by new definitions and unable to ensure regulatory outcomes.

Applying rigid categories to the regulation of crypto-asset markets is a bit like buying an outfit for a baby and expecting it to fit in five to ten years from now. The categories will be tested to the extreme and eventually will be no longer fit for purpose. Categories must be flexible and evolve and adapt to the market.

Existing frameworks don’t account for disintermediation

Existing frameworks for the regulation of financial instruments and securities are structured to assume certain intermediaries are involved in the provision of financial services. These markets rely on these intermediaries, and regulation places obligations on them accordingly.

A press release[1] issued by the United States Securities and Exchange Commission (SEC) in November notes that crypto intermediaries “often provide a suite of services that, in the rest of the securities markets, typically are separated from each other: exchange functions, broker-dealer functions, and custodial and clearing functions. The commingling of the various functions within crypto intermediaries creates inherent conflicts of interest and risks for investors.”

IOSCO’s Recommendations acknowledge these potential conflicts of interest and risks and states that, “Such systems, policies and procedures should be aligned with existing relevant securities and other regulations.”

One of the virtues of crypto (and its underlying technology) is that it can disintermediate financial services. In traditional finance, exchanges, custodians and clearing houses are distinct and separate entities that each carry out individual functions. In some cases, CASPs perform all three functions. Many CASPs are simultaneously market operators that facilitate the exchange of crypto-assets and trading intermediaries or broker-dealers that execute trades on behalf of their customers. This reduces the cost of services for consumers and can make them more efficient. In today’s crypto-asset markets, where a high proportion of trades take place online and without intermediary advice, is it necessary to trade through a broker-dealer website rather than directly on a trading platform? Should certain profit-making financial entities be required by law, even when the cost to consumers may not be justified?

Arguably, the disintermediation of crypto justifies a different approach. Yes, controls can be put in place to ensure conflicts of interest are mitigated, and CASPs provide pre and post-trade information, best price or execution and prevent the misuse of trading information. However, existing frameworks could be streamlined and still effectively achieve the same regulatory outcomes for CASPs.

New technology introduces new risks

Chapter 8 of the IOSCO Recommendations briefly addresses operational and technological risks. It specifies cyber and system resiliency risks as unique to CASPs and indicates that risks should be identified and adequately disclosed.

Unlike traditional financial markets, crypto-markets settle transactions 24 hours a day, seven days a week. In securities markets, the clearing and settlement of a transaction can take 2 or more days. On distributed ledger technology (DLT), settlement times are instant. In short, money moves more quickly through the market than it does in traditional finance (TradFi). The ecosystem of protocols and blockchains is highly interconnected, and thus, there’s a high degree of fragmentation. The speed and interconnectedness of crypto-asset markets pose new, unique risks.

In some cases, CASPs automate certain market functions through the use of smart contracts, pieces of code that have the power to execute autonomously and automatically. Smart contracts can be interdependent and allow for complex transactions to happen quicker than in traditional financial markets. Smart contracts present new risks. If one smart contract malfunctions, there is a potential domino effect across the market. How can regulation ensure they are continuously audited and do not fail to function correctly? How can regulation ensure they are not vulnerable to cybersecurity risks?

Although IOSCO’s Recommendations outline guidance for addressing some of the unique risks posed by crypto-asset custody, existing financial frameworks do not address such risks. CASPs that custody crypto-assets provide safekeeping of the private keys or seed phrases which control an individual or institution’s access to initiate transactions on a distributed ledger.

Existing frameworks do not impose standards on the management of these private keys or seed phrases. If a private key or seed phrase is lost or hacked, redundancies should be in place so that client assets are safe and access is maintained. Policies are needed to govern how systems are reset, new keys and seeds are generated, or funds are moved to a new wallet if keys or seeds are compromised.

In many cases, ‘same activities, same risks, same regulatory outcomes’ is a pragmatic approach to the regulation of crypto-asset markets. In other cases, regulation should acknowledge that new technology brings new risks, and a ‘same activities, different risks, same regulatory outcomes’ approach would be more apt. Different risks may require different rules.


The IOSCO Recommendations take the stance that all types of crypto-assets can be regulated under existing financial frameworks. But if regulators apply existing regulatory frameworks to crypto-asset markets, they are, in fact, not able to take a truly outcomes-focused approach.

Crypto doesn’t fit efficiently into existing regulatory categories created for financial instruments. Applying existing legislation to all types of crypto-assets leads to regulatory uncertainty. A lack of clarity creates an unfavourable environment for innovation.

Most existing regulatory financial frameworks categorise assets and apply regulation to those that fit the categories. But there remains the challenge of creating categories for crypto-assets, a continuously changing and rapidly evolving technology. When created, categories will quickly be outdated, which may ultimately impede outcomes.

The technology that powers crypto-asset markets ultimately allows for the provision of cheaper and more efficient products, but it also presents nuanced risks. Regulation needs to appropriately account for these risks in order to achieve the same regulatory outcomes.

[1] Securities and Exchange Commission, SEC Announces Enforcement Results for Fiscal Year 2023, 14 November 2023 (Source)