Blockchain Bites: Security Alliance proposes Whitehat Safe Harbor to secure Web3, SEC marks its territory with expanded “dealer” definition, UK policymakers debate stablecoin reform, Hong Kong to consult on regulation for OTC Crypto Ventures, Cambridge University launches Digital Money Site


Authors: Michael Bacina, Steven Pettigrove, Tim Masters, Jake Huang, Luke Higgins, Luke Misthos, Kelly Kim,

Service: Blockchain | FinTech
Sector: Financial Services | IT & Telecommunications

Michael Bacina, Steven Pettigrove, Tim Masters, Jake Huang, Luke Higgins, Luke Misthos & Kelly Kim of the Piper Alderman Blockchain Group bring you the latest legal, regulatory and project updates in Blockchain and Digital Law.

Security Alliance proposes Whitehat Safe Harbor to secure Web3

A leading group of Web3 security researches and lawyers (including the authors of this piece) launched a request for comment yesterday on a new security approach to assist in reducing DeFi hacks. The Whitehat Safe Harbor Agreement is intended to incentivize “Whitehats”, so-called ethical security hackers, to rescue at-risk crypto assets where an active blockchain exploit is underway. The initiative is led by the Security Alliance (SEAL), a non-profit founded by leading security researcher samczsun and backed by a broad and international industry coalition with a view to addressing some of the key security challenges in the space.

Hacks and exploits have been a core concern in the growth of Web3 technologies. In 2022, nearly USD$650 million in assets was stolen in the Ronin bridge hack alone. An attack on the Nomad bridge later that year netted nearly USD $200 million in stolen funds. Early members of the Security Alliance were involved in identifying the root cause of the hack and helping the Nomad project recover USD $38.8 million in funds from several whitehats who had intentionally drained the bridge to protect funds from the attackers. Crypto bridges are software protocols that enable communication and interaction between different blockchains and effectively enable value to be transferred across blockchains.

The Safe Harbor initiative is a pre-emptive security measure for protocols, similar to a bug bounty. It is a framework specifically for active exploits, i.e. situations where a vulnerability has begun to be exploited by a malicious actor. If a protocol has adopted the Whitehat Safe Harbor Agreement before such an incident occurs, whitehats will have clarity on how to act in a potential rescue, and will be more likely to help intervene.

A blockchain protocol can adopt the Whitehat Safe Habor Agreement through a governance vote of tokenholders or alternative decision making process. The protocol would need to first identify:

  • Which assets are in-scope for the agreement (e.g. any ERC20 token at a specific address)?
  • What reward will be given to successful whitehat rescues (e.g. 10% of rescued funds capped at USD$1m)?
  • Where should rescued funds be returned (e.g. a specific multisig or treasury address)?

If adopted, the Whitehat Safe Harbor Agreement forms part of the website’s terms of service to enable users of the protocol to pre-emptively agree to whitehat rescues in the event of an exploit. This agreement is intended to incentivize whitehat hackers to rescue funds by offering agreed rewards and pre-emptive legal releases from the protocol and its users, and reducing the risk of criminal prosecution. The whitehat must comply with the procedures in the agreement and return funds to a designated asset recovery address in order to benefit from the protections under the safe harbor.

The Security Alliance, or SEAL, is the coalition behind the SEAL drills initiative, which allows developer teams to war-game security incident scenarios, and the SEAL 911 Emergency Hotline, which enables users, developers and security researches who need access to urgent security advice, help with disclosing a critical vulnerability, or to simply sync on progress with other researchers to connect with a team of carefully vetted expert volunteers. Over the past 6 months, SEAL 911 has helped disrupt, intercept, and remediate several hacks, as well as assisted numerous people with other security problems.

The request for comment runs until 14 March 2024. The proposal is the result of more than 18 months of work by a group of leading blockchain lawyers and security experts. Piper Alderman was pleased to collaborate on the Whitehat Safe Harbor Agreement alongside leading blockchain and security lawyers including Gabriel Shapiro, the Lexpunk coalition, Debevoise & Plimpton LPP, and the policy teams at Paradigm and A16Z Crypto, among many others.

By Michael Bacina and Steven Pettigrove


SEC marks its territory with expanded “dealer” definition

The US Securities and Exchange Commission (SEC) has broadened its definition of a “dealer” to encompass a wider range of financial activities. The rules require that anyone who meets the expanded “dealer” definition must register with the SEC and become a member of a self-regulatory organisation. The broadening of the definition could capture high frequency traders and target crypto and DeFi platforms which industry advocates say are unable to register with the SEC owing to a lack of compatible regulations and regulatory stonewalling.

In short, the new framework puts forward two new qualitative and non-exhaustive criteria to establish “dealer” status for persons providing liquidity in securities markets (including what the SEC calls “crypto securities”):

  1. Expressing Trading Interest Factor: regularly expressing trading interest that is at or near the best prices on both sides of the market for the same security, and that is communicated and represented in a way that makes it accessible to other market participants; or
  2. Primary Revenue Factor: earning revenue primarily from capturing bid-ask, by buying at the bid and selling at the offer, or from capturing any incentives offered by trading venues to liquidity-supplying trading interest.

According to the SEC’s description, the new dealer framework focuses on the functional analysis of securities trading activities, irrespective of the type of security being traded, and while purporting to be technologically neutral, ignores those elements of crypto-assets and DeFi which are incompatible with existing regulation.

The SEC’s decision comes amidst a backdrop of broader regulatory efforts by US agencies targeting crypto assets, including measures proposed by the Internal Revenue Service (IRS). While previous regulatory discussions may have garnered more attention, the implications of the SEC’s expanded dealer definition could be far greater, particularly for DeFi projects who may further limit access to US users while pushing innovation offshore.

SEC Chair Gary Gensler emphasised his views on the reform, stating:

Absent an exemption or exception, if anyone trades in a manner consistent with de facto market making, it must register with us as a dealer – consistent with Congress’s intent.

Unfortunately, the SEC’s stance reaffirms its attempts to extend existing regulatory regimes to novel technologies. In other words, it may amount to a shadow-ban on DeFi platforms and underscore Mr Gensler’s true view: that only traditional models of financial services should be offered to US customers.

Despite objections and confusion from industry insiders, including those in DeFi, the SEC position has remained unchanging. The agency emphasised that the application of dealer rules is contingent upon a thorough examination of the facts and circumstances surrounding each transaction or structure, irrespective of the technology used, but fails to accommodate fundamental technological differences in DeFi.

The commission’s decision not to carve out a specific exemption for crypto activities was motivated by concerns regarding negative competitive effects. While the rules initially targeted electronic participants in the US Treasuries market, they will apply uniformly to any business falling under the expanded definition of a dealer.

Critics, including SEC Commissioners Mark Uyeda and Hester Peirce, voiced dissenting opinions, citing regulatory confusion and problems in the practical application of the existing rules to crypto products. Peirce, a vocal advocate for tailored regulations for crypto, expressed disappointment in the lack of nuanced consideration for DeFi operations:

…the [new] rule[s] reflects little thought regarding its practical application in the crypto markets

The DeFi Education Fund and other crypto groups echoed these concerns, denouncing the final rules as misguided and unworkable. Max Bernstein, Communications & Operations Senior Manager at DeFi Education Fund, posted the group’s thoughts via X:For crypto industry participants, this is another regulatory blow which highlights the absence of a clear compliance pathway for DeFi platforms in the US. The final rules will become effective 60 days after being published in the Federal Register. The compliance date will be one year after the effective date of the final rules.

It is curious that the SEC has been raising concerns around negative competitive effects for traditional operators, in stark contrast to the early 2000s when SEC Commissioners embraced technology which created efficiency and broader access to information and did not suggest online trading posted a negative competitive effect for then traditional operators.

As the regulatory landscape continues to evolve, stakeholders in the crypto industry must navigate these changes while advocating for a regulatory model that allows US enterprise and users to build and access DeFi technology.

By Luke Misthos , Steven Pettigrove and Michael Bacina


UK policymakers debate stablecoin reform

On 6 November 2023, the Bank of England (BOE) and the UK’s Financial Conduct Authority (FCA) published discussion papers on their respective plans to regulate stablecoins – a type of crypto asset which purports to maintain a stable value relative to one or more assets or currencies. The proposals form part of wider UK reforms to regulate crypto assets. However, the regulators’ different approaches have sparked heated debate within the UK crypto asset industry over the proposed regime.

While both regulators plan to supervise stablecoins, they have different regulatory focuses:

  • the FCA’s Discussion Paper DP23/4 says its main focus is to regulate the issuance and custody of fiat-backed stablecoins in or from the UK, as well as their use as a means of payment for goods and services in the UK. In addition, the FCA is exploring how to regulate the use of overseas stablecoins in UK payment chains; and
  • on the other hand, the BOE said in its discussion paper that it will oversee systemic payment systems involving stablecoins, i.e. those that become widely used as money for everyday payments in the UK economy. This may include stablecoins that are circulated widely enough to disrupt financial stability should their issuers become insolvent.

Some crypto advocates are concerned about a lack of alignment between the proposals, particularly with regard to issuers’ ability to earn interest on reserve assets that back the stablecoins in circulation.

Specifically, the FCA acknowledges in its discussion paper that stablecoin issuers earn most of their revenue by investing reserve assets and earning interest, and it proposes to allow these activities:

We propose that, under our regime, regulated stablecoin issuers can continue to retain, for their own benefit, the revenue derived from interest and returns from the backing assets

By contrast, the BOE suggests that issuers of systemic stablecoins should hold backing assets in central bank reserves, therefore limiting their ability to earn interest on the assets.

This misalignment could mean if a stablecoin firm grows to become systemic it may have to vary its business model under the BOE proposal or limit its further growth.

Paul Worthington, head of regulatory affairs at Innovate Finance says (as quoted by Coindesk):

The FCA is working with the way of the market and the way the market is developing, whereas the Bank of England is actually saying, “No, you need to come up with an entirely new business model”.

The FCA’s proposal also suggested limiting acceptable backing assets to government treasury debt instruments with maturities of one year or less and short-term cash deposits. Some industry advocates are concerned this proposal would also limit asset diversification and unduly undercut issuer’s revenue model.

They compare the UK’s proposal to Singapore’s reserve requirements, which say stablecoins can be backed by “highly liquid and low-risk assets,” including cash and cash equivalents. Some industry groups say they want to include secure and liquid assets like money market funds or longer-term government debt to make up reserves.

Despite this controversy, the UK is making significant steps toward establishing a regulatory framework for stablecoins, which are an important part of the crypto asset ecosystem. The FCA and the BOE aim to consult on final rules by mid-2024, and implement the stablecoin regimes by 2025.

Australia has also recently consulted on regulating payment stablecoins, which forms part of a broader reform proposal intended to modernise Australia’s payment system. Piper Alderman made a submission to the consultation, which can be found here.

By Jake Huang and Steven Pettigrove


Hong Kong to consult on regulation for OTC Crypto Ventures

In a move towards enhancing investor protection and fostering a secure environment for virtual assets, Hong Kong has announced plans to introduce a regulatory framework for over-the-counter (OTC) crypto venues. The Financial Services and the Treasury Bureau (FSTB) revealed their intention in a recent blog post to commence a consultation process “very soon,” covering a wide array of virtual asset outlets, including both physical shops and online platforms.

The decision to regulate OTC venues stems from concerns raised by the FSTB regarding their involvement in fraudulent activities. The FSTB noted instances where these venues played a role in misleading investors and channelling funds to unlicensed VA trading platforms. As a response, the FSTB deems it necessary to bring OTC venues under regulatory oversight to curb such fraudulent practices.

This move follows Hong Kong’s commitment to assisting the development of the virtual asset ecosystem. In October 2023, the FSTB expressed its desire to regulate the crypto sector, culminating in the establishment of a licensing regime for crypto companies in the previous year. To continue operations beyond June this year, crypto companies must obtain approval under the Virtual Asset Service Providers regime, reinforcing the government’s commitment to a regulated and secure blockchain environment.

In addition to OTC venues, Hong Kong is also exploring regulatory measures for stablecoin issuers. The proposed regulatory system aims to mandate fiat-backed stablecoin issuers to obtain a license from the Hong Kong Monetary Authority. This further underscores Hong Kong’s “multi-pronged approach” to comprehensive oversight across various facets of the blockchain ecosystem:

We will continue to use a multi-pronged approach comprising comprehensive public education, enhancing enforcement and timely information dissemination, to facilitate the robust and responsible development of the market.

The move towards regulatory clarity in Hong Kong aligns with global efforts to establish a secure and transparent framework for the evolving blockchain landscape. In conjunction with parallel movements by Securities and Futures Commission (e.g. licensing and tokenisation), Hong Kong is taking proactive steps to protect investors and create a conducive environment for the responsible and continued growth of the blockchain ecosystem.

By Luke Higgins and Michael Bacina


Cambridge University launches Digital Money Site

The Cambridge Centre for Alternative Finance (CCAF) has launched the Cambridge Digital Money Dashboard, an open-access tool focusing initially on stablecoins. The CCAF operates under the University of Cambridge Judge Business School, and is focused on the growth and progression of alternative finance.

The Digital Money Dashboard offers near real-time data and insights into the stablecoin market. The site is focused on educating individuals on digital money and adoption, and also covers several core sections, including:

  • Digital Money 101 – This section examines money’s complex nature, influenced by various contexts and digital currencies’ rise, aiming to navigate readers through changes, risks, and opportunities, highlighting money’s impact on society and promising future in-depth exploration.
  • Adoption – This section hones in on the adoption of stablecoins since 2020 and presents key metrics, such as up-to-date aggregate supply and transfer date activity, of stablecoins.
  • Risk & protections – The Dashboard outlines indicators to understanding risks associated with stablecoins, focusing on historical peg stability. It features a Peg Stability Chart which tracks stablecoin price deviations since 2019, inviting users to explore price behaviour and deviations.

The Dashboard is a powerful tool that showcases complex concepts in an easy to digest, interactive way. The Digital Money 101 section provides a comprehensive overview of different types of money, issuers, and technology as well as the monetary system generally and digital money instruments.

The Risks & protections section effectively explains complex concepts such as price deviations, peg stability indicators, and the impact of reserve asset compositions on stablecoin stability, making these topics understandable for a broad audience. This approach equips readers with an understanding of the function of stablecoins, and how they may lose their pegging, such as in the cases of USDC and Luna.

Importantly, the Dashboard provides information on regulatory regimes in the United States, European Union, United Kingdom and Singapore. The interactive table provides links to source material and information on what these jurisdictions are doing to regulate digital assets.

The Dashboard is an extremely useful tool designed to assist people in understanding the complexities of digital finance created and promoted by one of the world’s most prestigious universities.

By Michael Bacina, Steven Pettigrove and Luke Misthos