Regulating Cryptoexchanges

Industry Snapshot

More than 200 cryptoexchanges now operate internationally. While platforms that provide futures and options trading on Bitcoin and Ether are already subject to the oversight of the UK’s Financial Conduct Authority and the United States Commodities Futures Trading Commission, the vast majority of cryptoexchanges (ie, that trade digital assets) fall outside regulatory oversight provided they do not list any digital asset that is regarded as a security.

Industry developments covering products, services and practices in the secondary market for digital assets include greater recognition of digital assets as a new asset class, an increase in the number and size of cryptoexchanges, improved indices of cryptocurrency prices that contribute to price transparency, emergence of intermediaries that specialise in trade execution and portfolio and risk management, asset management growth, evolution of custodial services, specialised audit services, and tie-ups between traditional financial services and cryptoexchanges. This has been accompanied by evolving standards and practices that are driven partly by emerging regulatory requirements, and partly by the need to compete for business that is increasingly being compelled to comply with the expectations of investors familiar with traditional markets.

Regulatory responses are primarily shaped by the emergence of risks that affect the integrity of the public market and consumer protection, the powers given to regulatory agencies, and social and political considerations as regards the development of new technology. Important regulatory developments include progress in the primary market on the categorisation of digital assets for the purposes of existing laws, the validation and safeguarding provided by regulatory oversight such as the Bitlicense issued by the New York Department of Financial Services (”NYDFS”) and the establishment of regulated futures and commodities platforms in the UK and U.S., case law confirmation that the CFTC’s regulatory oversight covers the use of manipulative devices when trading cryptocurrencies, investigations by regulatory enforcement agencies of possible manipulative practices, successful enforcement actions in relation to primary and secondary market activities, and developing anti-money laundering (“AML”) requirements to cover cryptocurrencies, such as the fifth AML directive of the European Union.

As the activities of cryptoexchanges continue to penetrate into the market, attention has been moving to the need for more comprehensive regulatory oversight in a manner similar to the regulation of traditional stock markets including participating intermediaries. This requires a more granular consideration of what it is that needs to be regulated, why, and how.

An Eponymous Term

The term “cryptoexchange” is somewhat eponymous as the services actually undertaken may span activities that have become subject to a division of labour in traditional markets. This may include typical exchange-like acts (such as price formation, order matching functions, clearing and settlement), the operation of OTC desks, and acts more typical of intermediaries (such as market making, contract counterparty, broking, dealing, advisory, and custody) that are non exchange-like.

The term also covers exchange models with quite different risk profiles. Centralised cryptoexchanges (“CENEX”) are characterised by a hub-and-spokes model that relies on, similar to a traditional stock exchange, a centralised trading platform that connects supply and demand via a trading mechanism managed by an exchange operator. In contrast, trading relationships in decentralised cryptoexchanges (“DEX”) are formed via a trading mechanism embodied in a distributed open-source computer code on a direct person-to-person basis, giving rise to a matrix model of trading relationships. DEX are thus characterised by the absence of a centralised entity and the ability of investors to transact directly with each other without the counterparty risk found in CENEX models. However, the CENEX/DEX dichotomy is an imperfect device as cryptoexchanges sit along a spectrum of different operating arrangements.

CENEX are presently a particular subject of interest to regulators because their size, operating practices and growing predominance gives rise to three key consumer protection and market integrity concerns.

First, the exchange-like or intermediary-like roles a CENEX may undertake at various times creates conflicts of interest between different business lines (for example, acting as exchange, broker-dealer and proprietary trader). Conflicts are often not managed well or at all. Some cryptoexchanges provide certain traders with benefits (such as additional order types) that could preference those traders at the expense of other clients. More recently, CENEX have also been acting as promoters in initial exchange offerings (“IEO”), which gives rise to additional conflict issues.

Second, around two-thirds of CENEX hold customer assets, raising concerns about asset protection (ie cybersecurity and the possibility of exchange hacks). In addition, the absence of a consistent and transparent approach to auditing makes it difficult or impossible to ascertain whether customer assets are being held as claimed.

Finally, secondary market trading is occurring in the absence of market surveillance mechanisms (eg, that would identify suspicious trading patterns) in a market context that is highly susceptible to abuse. Some CENEX are taking fledgling steps to address this, an example being Coinbase’s decision in January 2019 to pause transactions with the Ethereum Classic (“ETC”) blockchain as a result of detecting activity that put some customers’ ETC assets at risk of being valueless (namely, deep chain reorganisations that contained double spends). Other CENEX take a politically different view of the market, one notable opinion being Kraken’s assertion that manipulative scams are rampant in the industry and that crypto traders know it and don’t care.

Regulatory Responses

Most major jurisdictions have been responding to the development of cryptoexchanges by exploring how they fit, or might be fitted into, the existing legal framework. These approaches tend to turn on the question of whether or not securities are being traded on the cryptoexchange – where the answer is in the negative, no regulatory oversight applies. A handful of jurisdictions have introduced new bespoke laws, notably Gibraltar, Malta and Bermuda.

In January 2019 Malaysia took the approach of defining all digital assets as securities to bring them under regulatory oversight. It is not yet known how the Securities Commission will approach the regulatory building blocks problem (see below) - it was only after the NYDFS introduced the BitLicence that it realised certain requirements regarding financial statements and audit reports could not be met, leading to a relaxation of requirements. Japan’s Financial Services Authority has been considering treating cryptocurrencies as a financial product, which would bring it under the Financial Instruments and Exchange Act and provide stronger protections to investors.

A somewhat unique solution was proposed by Hong Kong’s Securities and Futures Commission (“SFC”) in November 2018. The SFC could within the scope of its statutory powers license cryptoexchanges if, among the digital assets traded by the cryptoexchange, there is at least one that is regarded as a security – this proviso is necessary for the SFC to establish jurisdiction. The SFC would exercise its power to impose conditions on licences as a means of imposing operational requirements that would cover all digital assets traded, not only securities. The relevance of the shift from initial coin offerings to securities token offerings should not go unnoticed in this regard.

Under this approach, the SFC has invited CENEX, though not DEX, to apply to enter a sandbox in which extensive oversight of its operations is given to the SFC. This approach is premised on a shared goal of addressing risk and efficiency via agreed standards and practices, and implicitly recognises the difficulty of applying the existing body of regulations. If successful, it would serve the twin purposes of facilitating the development of meaningful exchange standards and bringing licensed cryptoexchanges within the scope of regulatory oversight.

The SFC’s proposal is highly laudable in an admittedly difficult legal environment. It recognises (1) the risk of continuing to leave cryptoexchanges in a zero-oversight regime, (2) that the form of CENEX are similar to traditional exchanges and give rise to a broadly similar set of problems solvable by familiar methods, and (3) that the pathway to establishing oversight requires detailed cooperation with the industry.

There are a number of difficult issues that remain outstanding for that approach to work. Commercially, the problem is finding a way to allow cryptoexchanges to conduct business as usual while also satisfying core regulatory needs. A consequence of extending the sandbox only to CENEX is commercial advantage to CENEX since DEX are unable to obtain the validation provided by regulatory oversight. This is despite, as discussed below, the similarity of functions in CENEX and DEX. At the present point in time this is defensible on the basis that DEX are smaller, still in the development stage, and do not present the same counterparty risk issues as CENEX. That position may need to be reviewed as DEX are developed. It is important that the SFC’s sandbox should not become a proxy for selectively advancing one cryptoexchange model over another but operate as a starting point.

The proposed approach appears to work legally under the licensing powers given to it by the Securities and Futures Ordinance. However, the substance of the SFC’s proposal is not primarily to regulate securities activities but to regulate cryptoexchange activities in a manner similar to automated (or alternative) trading services (“ATS”). Accordingly, the use of licensing conditions that in reality serve as a device to expand the jurisdictional reach of the SFC to activities that are not themselves regulated by the SFO may be open to question. While this gives rise to sustainability issues, it is an example of a regulatory agency dealing with the hand they’ve been dealt as best they can, and it could be an early step that facilitates later legislative development.

Form Versus Function

Going forward, the challenge for regulators will be to develop a more granular approach to regulation. How to implement the usual regulatory building blocks will need to be resolved. This includes in relation to account management, such as standards for custody, audit and record keeping, as well as broader market concerns related to market transparency and market abuse protections (see Hong Kong Lawyer, November 2018 “How can Blockchain and other Consensus Driven Cryptographic Technology be Regulated?”).

Granular regulation will need to focus on addressing risk and improving market efficiency. To date, regulatory agencies have correctly focussed on CENEX as they are presently larger operations and carry greater risks. However, in a developing industry context public regulation should not be imposed in a manner that may inhibit the ability of private market regulation to develop outcomes that align with public policy. This requires regulatory development to be model-neutral and form-independent, else barriers to innovation may be created that do not serve overarching social and economic objectives of facilitating commercial and financial possibilities.

One might consider how traditional bricks-and-mortar forms of exchange venues were disrupted by electronic trading networks beginning in the early 1970s. In a CCTech era, the question of form versus function must be considered carefully because the technology allows form to be partially or wholly dematerialised - venue, act and product can be collapsed into the operation of code via distributed networks.

In November 2018, the United States Securities and Exchange Commission (“SEC”) emphasised that it will take a functional approach to cryptoexchange regulation. It notes that an exchange can be comprised in decentralised trading systems that display trading interest to other users, or in systems that receive trading orders centrally for processing and execution. This is essentially a reworking of similar concerns of the SEC over 20 years ago in relation to ATS.

The recognition of CENEX and DEX as exchanges brings with it the usual set of regulatory concerns in relation to market integrity, transparency and fairness of the exchange’s operations. This includes in relation to the listing function, access to trading, how clearing and settlement is effected, the robustness of the exchange’s systems and controls, conflict management, rule development, and record keeping. Where clearing and settlement functions are undertaken, other issues such as rules regarding transaction finality, and credit and liquidity risk will be of concern.

Tags oriented to form, such as “centralised” and “decentralised”, provide less information value to regulatory concerns than a consideration of function, although form may still guide what regulation can in practice be meaningfully attached to. While centrality has hitherto served as a useful nexus point, the possibilities offered by CCTech requires rethinking how regulation might be applied to decentralised environments.


An important litmus test for any regulatory development is the degree to which it is sustainable as the industry develops. Models of commercial activity in digital assets are changing rapidly, including the services that might evolve in relation to them. Regulatory oversight must countenance matters ranging from the involvement of intermediaries providing services specific to digital assets as well as intermediaries already involved in traditional markets, to the use of digital assets in a wider range of purposes including corporate financing, to the regulatory treatment of digital assets for the purposes of capital adequacy or financial resources requirements. Facilitating the ability of cryptoexchanges to interact normally with the existing banking system is a necessary corollary to successful development of the industry.

Oversight that extends beyond minimally necessary regulation, or applied in a model-specific manner, may lead to counterproductive consequences. Development of overall integrity of the market could be delayed as cryptoexchange developers and investors may engage in model arbitrage and regulatory arbitrage – only falling within the regulatory net where it suits their purpose. This could cause industry development in regulated jurisdictions to cycle back toward extant models (ie pre-CCTech), rather than seeking the development of optimal models of commercial and financial activity. In unregulated jurisdictions, cryptoexchanges may continue pursuing self-interested profit making motives via standards and practices regarded as abusive in a well regulated marketplace.

The implementation of legislation too early in the cycle of industry development may result in heading down the wrong path and/or obsolescence. Simply applying the existing legal framework is fraught with the risk of not permitting industry to develop along the most commercially efficient pathways. The approach taken in Hong Kong demonstrates that, at the present point in time, there is no need for dramatic and wholesale changes to legal systems. However, while it is flexible in the face of a changing industry landscape, and encourages industry-regulator dialogue to find workable solutions, it is unlikely to be the best long-term solution.

For a more in-depth analysis, see “Requisites for Development of a Regulated Secondary Market in Digital Assets”, available from the author’s page at,


Syren Johnstone is the Executive Director of the LLM (Compliance & Regulation) Programme at the University of Hong Kong and a Director of Keel Consulting. He has undertaken senior management roles regulated by the SFC and The Stock Exchange of Hong Kong, been engaged for expert work by Hong Kong’s statutory regulators, and has been an influential voice in shaping high profile regulatory matters that have been referenced in LegCo and the Court of Appeal. He is a member of the SFC’s Fintech Advisory Group since its 2016 formation.