Answer ... In the United Kingdom, there is no single regulatory framework which governs virtual currencies. However, given the rise in the popularity of virtual currencies (eg, Bitcoin, Ether and other types of ‘cryptoassets’) and the increasing number of initial coin offerings in 2017, the chancellor of the Exchequer launched the Cryptoassets Taskforce in March 2018 (see question 2.1 for the definition of ‘virtual currency’ and ‘cryptoasset’). For the purpose of this Q&A, we focus largely on ‘cryptoassets’ as recognised by UK regulators and the UK money laundering regime.

The taskforce comprised Her Majesty’s Treasury, the Financial Conduct Authority (FCA) and the Bank of England (BoE), which together produced a final report in which they concluded that distributed ledger technology (DLT) (the technology upon which cryptoassets rely) has the potential to deliver significant benefits in financial services and other sectors. However, they warned that the regulators would take action to:

• mitigate the risks that cryptoassets can pose to consumers and market integrity;
• prevent the use of cryptoassets being used for illicit activity;
• guard against the threats to financial stability that could emerge in the future; and
• encourage responsible development of legitimate DLT and crypto-asset related activity in the United Kingdom.

In July 2019, after publication of the taskforce’s final report, the FCA issued final Guidance on Cryptoassets (PS19/22), in which it sought to clarify where the different categories of cryptoassets fall in relation to the FCA’s regulatory perimeter (ie, the boundary that separates regulated and unregulated financial services activities). It provides guidance as to which types of cryptoassets would be deemed to be regulated by the FCA and which would be regarded as unregulated (see question 2.1).

Answer ... Again, there is no single regulatory framework which governs entities providing services relating to virtual currencies. Instead, the extent to which these entities are regulated will depend on the nature of the activities which they conduct, and the nature, scale and size of their business. As a starting point, therefore, entities should consider whether and to what extent they fall within the United Kingdom’s regulatory perimeter and, if necessary, apply for the relevant authorisation from the UK regulator(s).

The FCA’s Guidance on Cryptoassets clarifies which types of cryptoassets are likely to be regulated and is relevant to any firm issuing, creating, buying, selling, holding or storing cryptoassets and firms marketing cryptoasset products and services, as well as their advisers. It may also be relevant to investment managers, recognised investment exchanges, multilateral trading facilities and organised trading facilities.

Any firm which carries on any regulated activity, by way of business in the United Kingdom, involving a regulated cryptoasset (see question 2.1) may require authorisation and the relevant permission from the FCA and/or Prudential Regulation Authority (PRA). Carrying out regulated activities without authorisation constitutes a criminal offence in the United Kingdom. For example, if a person is found to have provided advice in relation to a security token (see question 2.1) that amounts to the regulated activity of advising on investments, but is not authorised or exempt, he or she may face up to two years’ imprisonment, an unlimited fine or both. He or she could also be banned from working within the financial services industry again.

In addition, while issuers of certain cryptoassets may not need to be authorised themselves (eg, issuers of security tokens which do not carry out any regulated activity), there are certain requirements relating to the issuance of tokens which may still apply – for example, the FCA’s prospectus and financial promotions requirements. However, where cryptoassets constitute e-money (see question 2.1), issuance may itself be a regulated activity, requiring authorisation by or registration with the FCA.

In its final report on cryptoassets issued in October 2018, the Cryptoassets Taskforce identified that cryptoassets pose risks around criminal activity such as money laundering and terrorist financing because of their accessibility online, global reach and pseudo-anonymous nature. On 10 January 2020, the scope of the United Kingdom’s anti-money laundering and counter-terrorist financing (AML) regime was widened to capture cryptoasset exchanges and custodian wallet providers for the first time (see question 7.1).

Given the complexity of the regulatory treatment of cryptoassets, any person or entity that is involved in activities relating to cryptoassets should seek legal advice on the extent to which the UK regulatory regime applies to its activities and whether they require any regulatory permissions.

Answer ... The Financial Services and Markets Act 2000 (FSMA) established the FCA and the PRA as the statutory regulators of UK financial services businesses, and provides them both with their statutory powers, including the general power to make rules under the FSMA. These rules are extensive and are largely embodied within the FCA’s Handbook of Rules and Guidance and the PRA’s Rulebook.

Generally, the PRA forms part of the BoE and regulates and supervises all major banks, building societies, credit unions, insurers and major investment firms in the United Kingdom from a prudential perspective. Its remit covers the most systemically important firms in the United Kingdom.

The FCA regulates the behaviour and conduct of all financial services firms, with the aim of protecting consumers, preserving market integrity and enhancing competition, ensuring that markets work well so that consumers get a fair deal. It is also the prudential supervisor for the large majority of firms which are solo-regulated by the FCA.

Entities which require authorisation by the FCA and/or PRA will need to understand the rules which are most applicable to their businesses and comply with them accordingly. Failure to do so could result in enforcement action being taken by the FCA and/or the PRA; penalties include significant fines and, in cases involving individuals, potential prohibitions from working in the industry altogether.

The FCA is also the AML supervisor for financial services firms, including those cryptoasset businesses which fall within scope of the UK Money Laundering, Terrorist Financing and Transfer of Funds Regulations 2017, as amended (see question 1.2).

Answer ... In general terms, the UK financial regulators and policymakers are very receptive to fintech, believing that competition and innovation, if deployed appropriately, can be in the best interests of consumers and strengthen markets. In respect of cryptoassets in particular, the Cryptoassets Taskforce recognised a number of potential benefits in its final report, including when used:

• as a means of exchange by, for example, increasing the efficiency of international transfers;
• for investment, by widening access to new investment opportunities; and
• as a capital-raising tool, including through streamlining the capital-raising process.

The FCA is committed to encouraging innovation in the interests of consumers. Through its Project Innovate, it has a dedicated team working across all of its three core innovation initiatives:

• a regulatory sandbox which is open to authorised firms, unauthorised firms that require authorisation and technology businesses, allowing firms the ability to test their business models, products and services in a controlled environment, closely overseen by the FCA;
• the Advice Unit, which provides regulatory feedback to firms developing automated models to deliver lower-cost advice and guidance to consumers; and
• the Innovation Hub, which provides a dedicated contact for innovator businesses that:
• • are considering applying for authorisation or a variation of permission;
  • need support when doing so; or
  • do not need to be authorised, but could benefit from support.

It has also recently launched a digital sandbox, the first of its kind in the world, which was set up to provide enhanced support to innovative firms tackling challenges caused by the COVID-19 pandemic. Through these initiatives, innovators can test their business models with regulatory oversight and support, and will potentially be able to launch faster in the United Kingdom.

As a result of the COVID-19 pandemic, the City of London is also looking to start-ups and flexible ways of working as part of its five-year recovery plan. While, at the time of drafting, the plan is not yet finalised, the recommendations outline ways to encourage initial public offerings in London and suggest streamlining financial and tech regulations.

However, the Taskforce also identified the following risks associated with cryptoassets, which it has sought to address by clarifying the regulatory approach to cryptoassets and strengthening the UK AML regime, as discussed earlier:

• risks of financial crime, including opportunities for cryptoassets to be used for illicit activity and cyber threats;
• risks to consumers, who may buy unsuitable produces, face large losses, be exposed to fraudulent activity, struggle to access market services and be exposed to the failings of service providers;
• risks to market integrity, which may lead to consumer losses or damage market confidence; and
• potential implications for financial stability, which may arise if the market grows and cryptoassets are more widely used.

In October 2020, the FCA also banned the sale to retail clients of investment products that reference cryptoassets (derivatives). The FCA considered that retail customers cannot reliably assess the value and risks of derivatives (eg, contracts for difference, futures and options) and exchange traded notes that reference certain cryptoassets. This was due to:

• the inherent nature of the underlying assets, which, according to the FCA, have no reliable basis for valuation;
• the presence of market abuse and financial crime (including cyber thefts from cryptoasset platforms) in the secondary market for cryptoassets;
• extreme volatility in cryptoasset price movements; and
• an inadequate understanding by retail consumers of cryptoassets and the lack of a clear investment need for investment products referencing them.

In taking this action, the FCA considers that the ban could reduce harm by £19 million to £101 million a year for retail investors.

Answer ... While there has been no enforcement action against regulated firms relating to cryptoassets and virtual currencies, the FCA has taken action against unregulated firms for conducting regulated activities involving cryptoassets. The FSMA prohibits any person from carrying on a regulated activity in the United Kingdom unless it is authorised or an exempt person.

The FCA’s powers in relation to unauthorised firms conducting regulated activities include the power to:

• seek an injunction to prevent unauthorised business;
• obtain an injunction to secure the assets of a person who has been carrying on unauthorised business;
• apply to the court for a restitution order where a person has been engaged in unauthorised investment business – a restitution order requires payment by the contravener to the FCA of such sums as the court considers to be just in the circumstances. The FCA will then usually distribute any recovered sums among those persons who have lost out as a result of the unauthorised business;
• apply to court for orders under existing insolvency legislation and to be involved in proceedings under that legislation; and
• petition the court for the winding-up of a body which is carrying on or has carried on unauthorised investment business.

Answer ... ‘Virtual currencies’ are generally defined as being a digital representation of value that is neither issued by a central bank or public authority nor necessarily attached to a fiat currency, but is used by natural or legal persons as a means of exchange and can be transferred, stored or traded electronically.

Cryptocurrencies/assets are specific variants of virtual currencies which implement cryptography technology to secure and authenticate currency transactions, and depend on blockchain networks. They are the focal point of the Financial Conduct Authority’s (FCA) recent Guidance on Cryptoassets, which explains the extent to which the FCA regulates cryptoassets.

The FCA recognises the following two broad categories of cryptoassets.

Regulated tokens: These are regulated by the FCA and generally comprise ‘security tokens’ and ‘e-money tokens’.

Security tokens include specific characteristics that bring them within the definition of a ‘specified investment’ under the FCA’s regulatory framework, such as a share or debt instrument. They include tokens that grant holders some or all of the rights conferred on shareholders or debt holders, as well as those tokens that give rights to other tokens that are themselves specified investments. The FCA considers a ‘security’ to refer broadly to an instrument that indicates an ownership position in an entity, a creditor relationship with an entity, or other rights to ownership or profit. Security tokens are securities because they grant certain rights associated with traditional securities.

Anyone that carries on a regulated activity involving security tokens by way of business will need to make sure that they are appropriately authorised or exempt. Issuers of such tokens may themselves not need to be authorised; however, certain requirements relating to the issuance of the tokens may still apply – for example, prospectus and transparency requirements. Market participants should also be aware of the FCA’s financial promotions regime; it is an offence to communicate an invitation or inducement to engage in investment activity unless that person is an authorised person or the content is approved by an authorised person.

E-money tokens are tokens that meet the definition of ‘electronic money’ in the E-Money Regulations 2011 (EMRs). These tokens are subject to the EMRs and firms must ensure that they have the correct permissions and follow the relevant rules and regulations. ‘E-money’ is defined in the EMRs as:

• electronically stored monetary value that represents a claim on the issuer;
• issued on receipt of funds for the purpose of making payment transactions;
• accepted by a person other than the issuer; and
• not excluded from the definition of ‘e-money’ in the EMRs.

E-money must enable users to make payment transactions with third parties, so must be accepted by more parties than just the issuer. Due to the fact that they are not usually centrally issued on the receipt of funds, and do not represent a claim against an issuer, exchange tokens such as Bitcoin and Ether are unlikely to represent e-money.

Unregulated tokens are tokens that do not provide rights or obligations akin to specified investments such as shares, debt securities and e-money. These tokens include exchange tokens (eg, Bitcoin) and utility tokens (eg, certain online gaming tokens) which can be centrally issued, decentralised, primarily used as a means of exchange, or grant access to a current or prospective product or service. They may be used in one or many networks or ecosystems, and can be fully transferable or have restricted transferability. The key point is that any token that is not a security token or an e-money token is likely to be an unregulated token.

For the purpose of the UK Money Laundering Regulations, a ‘cryptoasset’ is defined as “a cryptographically secured digital representation of value or contractual rights that uses a form of distributed ledger technology and can be transferred, stored or traded electronically”.

On 18 November 2019, the government’s UK Jurisdiction Taskforce published its Legal Statement on Cryptoassets and Smart Contracts, which provided clarity on a number of legal issues that can arise as a result of the increasing use of cryptoassets. One of the key questions surrounding cryptoassets is whether English law treats these as property. The statement confirmed that cryptoassets are capable of being property, and that the factors relevant in determining whether English law governs the proprietary aspects of dealings in cryptoassets include:

• whether any relevant off-chain asset is located in England and Wales;
• whether there is any centralised control in England and Wales;
• whether a particular cryptoasset is controlled by particular participants in England and Wales; and
• the law applicable to the relevant transfer (eg, by way of parties’ choice in contractual provisions) is English law.

The statement also confirmed that cryptoassets can be characterised as property for the purposes of the Insolvency Act 1986.

Answer ... It is generally accepted in the United Kingdom that the terms ‘initial coin offering’ (ICO) and ‘security token offering’ (STO) both refer to a digital way of raising funds from the public using a virtual currency or cryptocurrency. They can also be known as a ‘token sale’ or a ‘coin sale’.

ICOs were the first type of digital fund raising and can vary widely in design. The digital token issued may represent:

• a share in a firm;
• a prepayment voucher for future services; or
• a pure utility token which offers no discernible value at all.

They can therefore fall into any of the FCA’s categories of cryptoasset, depending on how they are structured.

In 2017, before the FCA issued its perimeter guidance on cryptoassets, it issued a general warning to the public about the risks of ICOs, stating that they are very high risk and speculative, with many falling outside the regulatory perimeter, in which case consumers are not protected by the Financial Services Compensation Scheme or the Financial Ombudsman Service.

The FCA indicated that whether an ICO falls within the FCA’s regulatory boundaries must be decided on a case-by-case basis, and that where ICOs featured parallels with initial public offerings, private placement of securities, crowdfunding or even collective investment schemes, issuers should have regard to regulatory requirements. The FCA also pointed out that where tokens constitute transferable securities, they may fall within the FCA’s prospectus regime.

STOs emerged to make it clear that the tokens being issued in the fundraisings were securities, with a view to giving investors greater peace of mind that they were protected – provided, of course, that the issuer complied with the relevant regulatory requirements. While the issuers of security tokens need not be regulated themselves, they must comply with rules within the FCA’s prospectus regime and the FCA’s financial promotion rules.

Answer ... The FCA recognises stablecoins as tokens whose value issuers have attempted to stabilise. The most popular methods of stabilisation are as follows:

• Fiat-backed: Tokens are backed with fiat currencies or the issuer ‘pegs’ the value of the token to a particular currency, thereby guaranteeing the value of the token. The token gives the token holder an interest or right to the custodied fiat currency(ies), with the value of the tokens being directly linked to the value of the fiat currency held.
• Crypto-collateralised: Tokens are backed with a basket of cryptoassets with the aim of spreading risk and reducing price volatility.
• Asset-backed: Tokens are backed with a tangible or intangible asset that usually has some economic value (eg, gold).
• Algorithmically stabilised: Tokens attempt stabilisation through algorithms that may, for example, control the supply of the tokens to influence price.

Depending on what they are backed with, how they are arranged and how they are structured, these types of tokens will often fall within different categories of the FCA’s taxonomy of cryptoassets. Stablecoins will be regulated where they provide rights or obligations akin to specified investments, as security tokens and e-money tokens do. If they do not, they will be unregulated tokens; but some of the activities performed may still be subject to regulation, such as the anti-money laundering requirements.

The FCA has made clear that while stablecoins may have a common purpose, they vary greatly in their structure and arrangement, making them inappropriate for any single classification. Issuers should therefore analyse the characteristics of their tokens carefully to ascertain which category of cryptoasset their stablecoins fall into.

Answer ... In the United Kingdom, the largely unregulated virtual currencies such as Bitcoin, Ethereum, Ripple and Litecoin are the most embedded. In a research note published by the Financial Conduct Authority (FCA) on 30 June 2020, the FCA found that 3.86% of the general UK population owns these types of cryptocurrencies, amounting to approximately 1.9 million adults, with the UK population (over 18) taken to be approximately 50 million. Of these consumers, 75% held under £1,000 worth of virtual currencies; and of those owners, technical knowledge appeared to be high, with most consumers understanding the risks that are associated with the lack of regulatory protections and holding those currencies mainly for speculative purposes.

Bitcoin is by far the largest virtual currency in the United Kingdom and there is no particular variation between these coins depending on use. Bitcoin was the first decentralised ledger currency when it was issued in 2009.

Apart from holding these unregulated virtual currencies (which are treated as exchange tokens under the FCA’s guidance) for speculative purposes, there are various other use cases for cryptoassets which have been embedded within the United Kingdom.

Most use cases in the regulated space are in the e-money or payment services sectors, and firms regularly featuring in the FCA’s sandbox include providers of platforms that enable swift cross-border money transfer services and secure transfers of funds using cryptoassets and distributed ledger technology.

Answer ... There are two major types of virtual currency on offer: centralised and decentralised. A centralised virtual currency has a central administrator or repository. The central administrator of a virtual currency is typically the issuer of that currency. The role is similar to a central bank in a regulated currency system. XRP is an example of centralised virtual currency.

A decentralised currency does not have a third-party central administrator or repository. Instead, a distributed system will authenticate the transactions of a decentralised virtual currency. Many decentralised currencies are based on blockchain networks such as Bitcoin, Ethereum and Litecoin.

Virtual currencies are particularly popular as a means of payment in the gambling sector.

Answer ... Structures vary, but include platforms, cryptoasset exchanges and custodian wallet providers. There is no set structure for funding of providers. Some providers will historically have been founded by IT or fintech entrepreneurs, with additional funding being provided by contacts in their network. Structures may be opaque.

Answer ... With virtual currencies generally being classified as unregulated exchange tokens in accordance with the FCA’s perimeter guidance, the transfer, purchase and sale of these tokens, including the commercial operation of the cryptoasset exchanges for exchange tokens, are activities not currently regulated under the Financial Services and Markets Act 2000 (FSMA) by the FCA. However, in the event that a virtual currency qualifies as a transferable security or other Markets in Financial Instruments Directive (MiFID) financial instrument that can be traded, the operator of an exchange may need to be authorised under the FSMA as the operator of a multilateral trading facility or organised trading facility.

The Money Laundering, Terrorist Financing and Transfer of Funds Regulations 2017 also apply to crypto-asset exchange providers and custodian wallet providers, which must register with the FCA.

Where virtual currencies are classified as unregulated exchange tokens, they will be outside the scope of the Market Abuse Regulation, as this generally applies only to MiFID financial instruments.

Answer ... Virtual currencies have not yet been adopted widely in the United Kingdom, largely due to them not being directly regulated by any current legislation. They remain awkwardly outside existing financial regulations and this has affected market confidence in their use, with scepticism focusing particularly on their susceptibility to money laundering and fraud.

Despite this, UK authorities are alive to the opportunities that virtual currencies can provide. In March, the Bank of England (BoE) published a discussion paper on the potential creation of a central bank digital currency (CBDC), stating its intention to provide more information next year. The BoE’s governor, Andrew Bailey, followed up with a speech in September 2020 discussing whether stablecoins (a virtual currency that is convertible into fiat money at any time) or a CBDC would be the appropriate next step in the United Kingdom (concluding that they are not necessarily mutually exclusive).

Conversely, major banks have been mostly reticent in supporting virtual currency-related businesses and transactions – usually for policy reasons in the absence of an established regulatory framework. This is holding back the sector in the United Kingdom.

That said, stakeholders are aligned in wanting a clear and robust regime, whatever virtual currency/currencies are eventually adopted.

This, coupled with the already well-established ‘virtual’ transaction market in the United Kingdom – most transactions are now facilitated via card and contactless payments, with each payment monitored and represented on electronically maintained ledgers – should mean that virtual currencies are well positioned for future adoption within the broader UK banking landscape.

Answer ... Inflation is affected by a wide range of factors and not just the ‘form’ of money – for example, overall economic conditions and, of course, the velocity of transactions in the markets. The BoE, like most modern central banks, controls inflation via a mixture of quantitative easing programmes and setting interest rates, which are then used as a base rate by commercial banks and lenders.

Currently, movements in the value of virtual currencies would barely register in the United Kingdom. To put this in context, the total money supply in the United Kingdom is estimated at over £2 trillion. By contrast, the total supply of Bitcoin (the most prevalent of the virtual currencies in circulation) is 21 million units.

In the short term, and before more sophisticated standards and regulations are in place, it is difficult to predict how materially the use of virtual currencies would impact on inflationary measures.

However, hypothetically, if virtual currencies continue to grow to the extent that their use begins to rival that of traditional money, they could certainly impact on BoE’s ability to control inflation via orthodox monetary policy. This could, perhaps, be driving the BoE’s interest in virtual currencies and the potential creation of a CBDC.

Answer ... One fundamental characteristic of virtual currencies is the distributed ledger system (blockchain), which eliminates the need for a central third party – usually a bank – to facilitate payments. Much has already been discussed about how this could increase efficiencies in payments and across the banking system generally.

However, the adoption of virtual currencies would have implications far beyond this. As Andrew Bailey remarked in his September speech, the BoE and commercial banks play a key role in ensuring that payments can be made with confidence. Increased use of virtual currencies in transactions would thus raise questions about who should be responsible for the security and integrity of payments. Again, concerns such as these could be underpinning the BoE’s potential introduction of a CBDC.

Virtual currencies may also have a significant impact on the balance sheets of commercial banks throughout the United Kingdom. Around 97% of money held by UK businesses and households is in commercial bank deposits, which underpin the funding of the UK banking sector. The mainstream adoption of virtual currencies would necessitate households and businesses switching some of their funds from deposits into virtual currencies. This would, however, shrink the balance sheets of commercial banks, which may seek to offset this by raising interest rates, increasing the cost of credit to the economy or borrowing more from the Bank of England – all of which could alter the banking landscape profoundly.

Answer ... The definition of ‘credit’ is broad and includes a cash loan and any other form of financial accommodation (Articles 36H(9) and 60L of the Financial Services and Markets Act 2000 (Regulated Activities) Order 2001 (RAO)). Some activities involving virtual currencies may involve the provision of credit and may therefore fall within the scope of the consumer credit legislation. Furthermore, where the loan is provided via a loan-based crowdfunding platform, the platform is likely to need to be authorised under the Financial Services and Markets Act 2000 and have permission to operate an electronic system in relation to lending.

With regard to deposits of virtual currencies, the acceptance of deposits is a regulated activity if money received by way of deposit is loaned to others or any other activity of the person accepting the deposit is financed wholly, or to a material extent, out of the capital of, or interest on money received by way of deposit (Article 5 of the RAO). This permission will typically be held by a bank. In general, virtual currencies should not fall within the definition of ‘deposit taking’, as issuing virtual currencies does not involve the deposit of a sum of money to the issuer (if there is an issuer). It is more usual for virtual currencies to be issued on receipt of other cryptocurrencies. Cryptocurrencies are not normally issued on terms by which they would be repaid to the holder.

Answer ... Distributed ledger technology (DLT) or blockchain technology is not in itself regulated in the United Kingdom. The Financial Conduct Authority (FCA) generally takes a ‘technology-neutral’ approach to regulating financial services and does not regulate the technology; what it does regulate are the firms that conduct regulated activities using the technology.

The use of DLT/blockchain systems creates questions around certain activities, operational issues and processes, such as custody and settlement. While the FCA’s Guidance on Cryptoassets does not address these issues (as the focus of the guidance is on the regulatory perimeter), the FCA has made it clear that it will be monitoring developments in these areas and stands ready to engage with market participants as the DLT/cryptoasset market matures.

With regard to wider legal issues, as the nodes of a decentralised ledger can span multiple jurisdictions across the globe, it is often difficult to establish which jurisdictions’ laws and regulations apply to a given application. There is a risk that transactions performed using blockchain could fall under every jurisdiction in which a node in the blockchain network is situated, potentially resulting in an overwhelming numbers of laws and regulations that may apply to transactions on the blockchain. It is therefore important to consider what law applies to transactions and put in place legal frameworks which dictate the governing law and mechanisms for dispute resolution.

Where DLT is used to store, share and process client data, careful consideration should also be given to data protection laws and privacy issues. The Data Protection Act 1998 sets out firms’ obligations when storing and processing client data, and includes the right for data subjects’ ‘right to be forgotten’; this may cause issues for DLT where firms use immutable records and share data among themselves.

Answer ... Blockchain technology is often thought of as being ‘tamper-proof’ because each new digital block containing a record of transactions is connected to all preceding blocks. In order to tamper with records contained in a block, all subsequent blocks in the chain must also be changed to avoid detection. Given that blockchain is a decentralised ledger, there is no single point of failure which can be overridden. It also uses cryptography to secure data.

Despite the high level of security that blockchain provides, there remain some cybersecurity risks. While data, once it is on the blockchain, is relatively secure, this does not prevent information from being tampered with at the point of entry. To this end, cybercriminals may target data input points such as cryptoasset wallets. In addition, it is well established that data on the blockchain can be compromised by a targeted brute force attack on certain blockchain nodes.

There have been many publicly reported stories about the hacking of cryptocurrency exchanges and millions of dollars’ worth of cryptoassets vanishing from virtual wallets. A major challenge to mass adoption of cryptoassets will be the seemingly increasing security risks and the impact on ‘safe custody’ of cryptoassets.

Answer ... The UK data protection regime is largely governed by the EU General Data Protection Regulation (GDPR) and the Data Protection Act 2018 (DPA). It is expected that the current regime will remain after the end of the Brexit transition period via the implementation of the GDPR into UK domestic law. According to this regime, personal data must be processed in line with the GDPR principles of:

• lawfulness, fairness and transparency;
• purpose limitation;
• data minimisation;
• accuracy;
• storage limitation;
• integrity; and
• confidentiality.

There is no UK data protection legislation that expressly refers to virtual currencies and so the processing of personal data within this context is subject to the general requirements and obligations. However, complying with all data protection obligations in practice may provide a challenge in this context, as other sector regulations will have an impact on the data processing activities such as establishing retention periods in line with anti-money laundering obligations. Also, when using blockchain or other distributed ledger technology, there are some areas of tension to comply with the GDPR principles, and these are being considered by experts and regulators. Relevant points of discussion include:

• the extent to which data subjects’ rights can effectively be exercised; and
• how to comply with the minimisation principle, for which measures such as anonymisation and keeping personal data ‘off-chain’ are discussed as a way to mitigate risks.

Answer ... There is no universally applicable cybersecurity law.

The Network and Information Systems Regulations 2018 implements the EU Directive on the Security of Network and Information Systems (NIS Directive) in the United Kingdom. The aim of the NIS Directive is to improve cybersecurity; among other things, it obliged member states to identify operators of essential services within their territory in certain sectors to which requirements would then apply. The sectors covered by the NIS Directive include the banking and financial markets infrastructure sector. However, the UK government did not carry out the identification exercise for the banking and financial markets infrastructure sector, on the basis that Recital 9 of the NIS Directive permits this approach where provisions at least equivalent to those specified in the NIS Directive exist in EU law by the time NIS Directive came into force. The European Commission published a report in October 2019 expressing concern over the application of exemptions by member states and stating that it would gather further information. However, the impact of this remains to be seen, including due to Brexit. In the meantime, firms in these sectors must continue to adhere to the requirements and standards as set by the Prudential Regulation Authority and/or the FCA.

Further, the European Commission declined to bring virtual currencies within the scope of the revised Payment Services Directive ((EU) 2015/2366), which includes requirements relating to security, instead bringing virtual currencies under the Money Laundering, Terrorist Financing and Transfer of Funds Regulations (as mentioned above).

Answer ... The UK anti-money laundering regime relating to financial services is largely embodied in the Proceeds of Crime Act 2002 and the Money Laundering, Terrorist Financing and Transfer of Funds Regulations 2017 (MLRs). The MLRs place a general obligation on certain firms – including financial services firms – to establish and maintain appropriate and proportionate risk-based policies and procedures to prevent and detect situations where their systems may be at risk of being used in connection with money laundering. A failure to comply with the MLRs may constitute a criminal offence.

On 10 January 2020, the scope of the MLRs was widened to capture cryptoasset exchanges and custodian wallet providers. The MLRs introduce, for the first time, AML obligations for these types of cryptoasset businesses. New businesses carrying out cryptoasset activity in scope of the MLRs must be registered with the Financial Conduct Authority (FCA) before conducting business. Existing businesses already conducting cryptoasset activity before 10 January 2020 may continue their business, but will need to ensure compliance with the MLRs. They must, however, register with the Financial Conduct Authority by January 2021.

Answer ... There is no specific protection that is enforceable by consumers when dealing with virtual currencies. The only protection comes from the regulation of the virtual currency providers themselves – that is, the FCA requires the provider of certain types of virtual currency to be registered.

The Financial Conduct Authority (FCA) requires providers of certain types of virtual currencies to be registered (and thus does a level of due diligence on the firm), and the provider must comply with anti-money laundering regulations like every other financial institution. However, consumers have no recourse to the financial protections of the Financial Services Compensation Scheme if the exchange holding their virtual currency goes insolvent, and cannot claim under the Financial Ombudsmen Service.

The only other ‘protection’ is a recent (6 October 2020) FCA ban on the sale of derivatives and exchange notes that reference certain types of ‘cryptoassets’ to retail customers, imposed on the basis that cryptoassets cannot be reliably valued by retail customers.

Broader (non-financial services) consumer protection regimes, such as unfair terms and distance-selling protections, will apply; but these give no protection around the virtual currency itself. The extent to which issuance of or trading virtual currencies falls within the definition of ‘the provision of goods and services’, where other protections would ordinarily apply, is unclear. The English courts have held that virtual currencies are belongings (like money) capable of being stolen, so the Theft Act applies; but if they consider virtual currency to be akin to information in a database (where virtual currencies are based on blockchain technology), there will be no proprietary or ownership rights to enforce.

Answer ... The mainstream adoption of virtual currencies will likely lead to enhanced regulation of the area – the FCA’s recent ban of the sale of derivatives and exchange notes being the first example. In the 1970s, the Consumer Credit Act 1974 introduced consumer protections as the adoption of credit cards proliferated. However, regulators will intervene only when the risk is sufficiently great and the system sufficiently established; they do not judge that this time has come yet.

Experts suggest that the mainstream adoption of virtual currencies will lead to those virtual currencies being superseded by commercialised systems, similarly to how music streaming has developed from decentralised services such as Napster to commercial operations such as Spotify and iTunes. An increasing number of companies already accept virtual currencies or soon will do, including Microsoft, Facebook, Expedia and Virgin Galactic. We can therefore expect the number of companies willing to accept cryptocurrency to expand materially along with associated consumer protections.

Answer ... While virtual currencies have yet to be the subject of a competition investigation within the United Kingdom, they are not immune from scrutiny under applicable competition laws, and the attention they may be expected to attract is likely to increase as usage becomes widespread.

For example, concerns may arise where competitors work together to develop technical standards for virtual currencies (or functions thereof), given the possibility for such standards to:

• exclude competing technologies;
• reduce competition on innovation; and
• ultimately limit access to the adopted standards.

To seek to minimise these concerns:

• participation in the development of technical standards should be unrestricted and generally open to all interested parties;
• processes for the adoption of standards should be objective, non-discriminatory and transparent (including as regards the allocation of voting rights among participants), with technologies selected on the basis of objective criteria; and
• standardisation arrangements should be voluntary.

Once adopted, standards in relation to virtual currencies should be accessible on fair, reasonable and non-discriminatory (FRAND) terms and conditions. Where standards involve the use of IP rights, participants that wish for their IP rights to be used within these standards should provide irrevocable commitments to offer to license their essential IP rights on FRAND terms and conditions (and provide these commitments before the adoption of any standards).

More generally, if virtual currencies directly or indirectly enable or facilitate the exchange of commercially sensitive information between competitors (eg via blockchain technology), this is likely to prompt investigation and possible sanction.

Answer ... The UK tax authority, Her Majesty’s Revenue & Customs (HMRC), does not consider cryptocurrencies to be currency or money for tax purposes. Instead, they are treated as ‘exchange tokens’ and taxed differently in the hands of individuals and businesses.

In most cases, individuals hold cryptoassets as a personal investment, usually with a view to increase in capital appreciation in value or to make particular purchases. If they are UK tax resident and sell their cryptocurrency at a gain, they will be subject to UK capital gains tax at the usual rate (for tax year 2020/12) of 20%. Throughout the time that an individual is UK tax resident, all of the cryptoassets that he or she holds will be treated for tax purposes as if they are located in the United Kingdom. Certain costs can be deducted in calculating the amount of the taxable gain.

Individuals are liable to pay income tax and national insurance contributions on cryptoassets which they receive from their employer as a form of non-cash benefit; or from mining, transaction confirmation or airdrops (eg, as part of a marketing or advertising campaign).

Transactions in cryptocurrencies are not considered to be a gambling activity for tax purposes. The proceeds of gambling transactions in the United Kingdom are generally received tax free.

If an individual operates a business which carries on a financial trade in cryptoassets, the profits of that business are subject to income tax, which takes priority over the capital gains tax rules. To date, such businesses are considered rare.

Companies are taxed on the profits they make in relation to cryptocurrencies. If the transaction does not have a pound sterling value (eg, if Bitcoin is exchanged for Ether), an appropriate exchange rate must be established in order to convert the transaction to pounds sterling for completion of the relevant tax return. The valuation methodology must be documented and retained in case of a HMRC enquiry.

As exchange tokens are not treated as money for tax purposes, none of the specific corporation tax rules relating to money or currency will apply. If the activity concerning the exchange token is not a trading activity and is not otherwise chargeable to corporation tax (eg, as a non-trading loan relationship or intangible fixed asset), the activity will be the disposal of a capital asset and any gain on disposal will typically be chargeable to corporation tax as such.

Answer ... The demand and popularity of virtual currencies are growing. However, investors have become more cautious, due to:

• the volatility of virtual currencies;
• regulatory warnings to consumers on the speculative nature of investing in virtual currencies; and
• the risk of scams and other financial crime associated with the use of virtual currencies.

The Financial Conduct Authority (FCA) has made clearer its stance on the regulation of cryptoassets in the FCA Guidance on Cryptoassets, and the general trend is towards increased regulation and a heightened regulatory focus, in particular on anti-money laundering systems and controls.

Answer ... Virtual currency providers and cryptoasset businesses should not assume that they are outside the scope of UK regulation. They should consider whether they may be conducting regulated activities in the United Kingdom (eg,where do they sit within the categorisation of cryptoassets in the Financial Conduct Authority (FCA) Guidance on Cryptoassets?).

They should also consider whether they need to register under the Money Laundering, Terrorist Financing and Transfer of Funds Regulations, and ensure that they have adequate anti-money laundering systems and controls in place. This is an ongoing requirement, not merely a requirement upon registration, and the FCA has strong enforcement powers in the event of non-compliance.

Contributors:
Helen Davenport, Partner - Data Privacy and Cyber Security
Rocio de La Cruz, Principal Associate - Data Protection
David Brennan, Partner and Co-chair of Global Tech - Corporate
Samantha Holland, Partner - Commercial Litigation
Samuel Beighton, Partner - EU, Trade and Competition
Alasdair McKenzie, Partner – Banking and Finance
Zoe Fatchen, Partner – Tax
Jocelyn Paulley, Partner – Data protection