What is blockchain?
Distributed Ledger Technologies (DLT)
DLT is a decentralised ledger of transactions with identical copies maintained on multiple independent computer systems. This means the transaction ledger is maintained simultaneously across a network of unrelated computers or servers called “nodes”, like a spreadsheet that is duplicated thousands of times across a network of computers.
Blockchain is a form of DLT which refers to the way in which data is stored on the ledger. On a blockchain network, data is stored in a block and bundled with other data. The block serves as a container of multiple data points and all blocks are stored in a specific order. The blocks are typically chained together by cryptographic locks. This forms a continuous and complete record (the “chain”) of all transactions performed.
A block is only added to the chain if the nodes, which are members in the blockchain network (with high levels of computing power), reach consensus on the next valid block to be added to the chain. A transaction can only be verified and form part of a candidate block if all the nodes on the network confirm that the transaction is valid. The technical details of how to achieve consensus varies.
Smart contracting is one of the promising applications of DLT.
Smart contracts are self-executing code on a blockchain ledger that automatically implements the terms of an agreement between parties through the use of consensus protocols. As the smart contract protocol is operated by a distributed database there is no need for a third-party intermediary. Popular computing platform Ethereum is based on a blockchain system with smart contract functionality.
Smart contracts have particular application in respect of frequent transactions occurring among a network of parties which involve manual or duplicative tasks for each transaction. The blockchain can act as a secure, single source of trust using smart contracts to automate approvals, calculations and other transacting activities that are prone to lag and error when performed by humans.
Smart contracts have the potential to allow businesses to bypass today’s sprawling and inefficient financial back offices and legal systems.
Permissioned and permissionless networks
DLT can take various forms and can be permissioned or permissionless.
Permissioned systems are private networks where data authorization depends upon the agreement of multiple pre-defined servers. The networks require organisation and governance to regulate who is entitled to participate and the basis upon which they will participate (eg unanimous agreement, core group acceptance, single user invitation and satisfaction of pre-determined requirements). The popular cryptocurrency Ripple operates on a permissioned blockchain. The digital currency utilises a network of trusted parties that constantly compare transaction records.
In contrast, permissionless blockchains operate on in the public domain and anyone who downloads the software is able to participate. The participants are generally unknown to each other and details of a transaction are visible to the general network and the public. The popular digital currency Bitcoin runs on a permissionless blockchain.
Legal issues with DLT
Data Privacy and the right to be forgotten
The appeal of DLT to many users is trust. In a centralised system, such as a bank or government agency, a ledger of transactions is stored within a single entity, giving that entity control over the ledger. Often, only the central institution is privy to the transaction. In a distributed ledger, however, the transparency of each transaction distributed across a network of nodes creates an immutable shared record of the “truth” that is extremely difficult to be tampered with. The ledger is guaranteed by mathematical rules and impregnable cryptography rather than humans and institutions.
Inherent in enhanced transparency is data privacy concerns. For example, in the Bitcoin protocol, each transaction originates from an address, represented by a series of symbols, letters and numbers. The balance associated with an address cannot be divided into smaller amounts. However, it is possible to use the same address as both input and output; allowing a portion of a user’s Bitcoins to be transferred to another address, with the remainder being transferred back to the originating address. Attackers can use this to link certain addresses to determine the number of active entities.1
This distribution of data may violate certain data protection laws which carry severe penalties in some jurisdictions.
On 28 May 2018, the EU’s General Data Protection Regulation (GDPR) came into effect. The conflict between the transparency of blockchain and the GDPR personal data regulations creates potential legal issues.
Article 17 of the GDPR demands that companies must erase personal data of individuals when they request to be ‘forgotten’.2 However, one of the defining features of blockchain is its immutability of data. The GDPR does not offer a definition of ‘erase’ but a literal reading would suggest physical deletion of the data. Deleting a string of personal data from a blockchain can require significant computer power and expense, particularly on permissionless networks.3
The definition of “personal data” in Article 44 of the GDPR is sufficiently broad to theoretically encompass information including someone’s hair colour, political opinions and occupation. However, the application of the GDPR can depend upon the context of collection and the use of the information. For example, an organisation that collects information on people who download products from their website may ask them to state their occupation. This does not necessarily fall under the GDPR’s scope as many people may hold the same occupation. It is only when pieces of information are collected together to narrow down the possibilities of reasonably establishing someone’s identity, that the information as a whole, is personal data.5
When a new transaction is recorded on the blockchain, the input data is displayed as a hash function, being a combination of numbers and letters of a fixed length based on an applied algorithm. Essentially, a hash represents a series of transactions contained in a block. A hash is not so much a unique identifier, as it is an output display representing a series of transactions within a block. It is uncertain whether a hash displayed on the blockchain constitutes personal data.
A solution to GDPR issues may be to store personal data in separate “off-chain” databases and store the reference to the data on the blockchain. This would mean that it is possible to completely erase data in the off-chain storage. However, the benefit of transparency associated with blockchain would be reduced.6
Money laundering and organised crime
One of the common criticisms of the anonymity inherent in blockchain transactions is that they can be, and increasingly are, used to facilitate criminal activity.7
This has led to regulatory responses including recent amendments to the Anti-Money Laundering and Counter Terrorism Financing Act, which place significant obligations on digital currency exchanges, including to register with the Australian Transaction Reporting and Analysis Centre (AUSTRAC) and to maintain a compliant anti-money laundering and counter terrorism financing program. This means digital currency exchanges must collect information to establish a customer’s identity, monitor transactional activity and report transactions or activity that are suspicious or involve amounts of cash over $10,000.
Digital currency exchanges must also specify how they mitigate and manage the risk of their products or services being misused to facilitate money laundering or terrorism financing.
In addition, AUSTRAC is building a proof of concept that will automate some anti money laundering and know your customer reports on the blockchain. They are also looking into smart contract applications for international fund transfer instructions and threshold transaction reports.8
DLT and financial services laws
ASIC Information Sheet 2199
In INFO 219 ASIC stated a belief that the existing regulatory framework is able to accommodate DLT use cases. The information sheet is intended to fill the dialogue between ASIC and the industry as DLT matures.
The information sheet highlights several key initiatives ASIC have undertaken in relation DLT including industry engagement, the establishment of an Innovation Hub to help fintech start-ups navigate regulatory systems and fintech AFS and credit licensing exemptions.
ASIC has also established a number of initiatives to continue to engage with the industry and regulators, including the ASIC Digital Finance Advisory Committee and a number of memoranda of understanding with overseas regulators.
INFO 219 suggests that when establishing a DLT for your business, it is important to consider the following:
- how will the DLT be used?
- what DLT platform is being used?
- How is the DLT using data?
- How does the DLT work under the law?
- How is the DLT run?
- How does the DLT affect others?
Classification of digital currency issued under an ICO
ASIC, in its 2014 submission to the Senate inquiry into digital currency, stated that digital currencies are not financial products. It also stated that digital currencies are not a currency or money for the purposes of the Corporations Act. It is important to note, however, that ASIC’s submission focused on Bitcoin and similar digital currencies which are produced by a process called mining rather than being offered under an initial coin offering (ICO).
If it is a financial product, it will be subject to the general law as well as a variety of licensing, disclosure and registration obligations pursuant to the Corporations Act.
Notwithstanding its 2014 position, in September 2017, ASIC released INFO 225, an information sheet focused on ICOs.10 INFO 225 makes clear that where a digital currency contains additional features it may be considered a financial product. ASIC will focus on substance over form, meaning the mere fact that a digital currency issued is described as a utility token does not mean it is not a financial product. It is important to consider all the associated rights and features associated with the digital currency. Digital currencies offered under an ICO could be considered a financial product, including in the following circumstances:
1. Managed Investment Scheme
A managed investment scheme is an arrangement to which people contribute money or assets to obtain an interest in a scheme, the contributions are pooled to produce financial benefits or interests in property and the contributors do not have day to day control over the operation of the scheme.
Digital currency issued under an ICO may be a managed investment scheme if the value of the digital currency is affected by the pooling of funds from contributors or use of those funds under arrangement.
Shares are in interest in a body generally carrying rights of ownership, voting and the right to receive dividends. If ownership of digital currency provides rights akin to rights attaching to a share, then it is likely the digital currency is considered a share (or a security).
Digital currencies with values based on factors such as another financial product, underlying market index or asset price moving in a certain may be a derivative.
4. Non-cash payment facility
A non-cash payment facility is a facility through which a person makes payments through means other than physical delivery of currency. ASIC is of the view that digital currency offered under ICOs are unlikely to be non-cash payment facilities. Nevertheless, a non-cash payment facility may be involved in an ICO where digital currency is converted into fiat currency to enable completion of payments.
Crypto asset trading platform and financial markets
If digital currency is considered a financial product, then any platform on which customers are able to buy and sell crypto-assets may be considered a financial market. For a financial market to operate in Australia, the operator must hold an Australian market licence.
DLT use cases
Blockchain and smart contract applications are currently being used in the financial services sector, both by start-ups and established financial service providers. The use cases reach multiple areas of financial services including cross-border transactions, share trading, identity management and securities. Below are just a few examples of DLT use cases.
In June 2018, The ASX announced that it will use a permissioned DLT as part of the CHESS replacement. ASX has also contracted developers to write its smart contract language to model sophisticated, multi-party applications that run on the DLT platform.11 This platform is likely to be switched on between September 2020 and March 2021 and will offer the possibility of settling trades in one day rather than two, with significantly reduced risk. The DLT will be used to clear and settle the $2 trillion cash Australian equities market. Financial services entities will be able to ‘take a node’ on the distributed ledger, allowing them to see real-time data on equity ownership without having to reconcile their own ledgers with ASX’s.12
In August 2018, the World Bank launched bond – i, the world’s first bond to be created, allocated, transferred and managed through its life cycle using DLT. The World Bank mandated Commonwealth Bank as the arranger for the bond. The bond attracted significant investors including First State Super, NSW Treasury Corporation, Northern Trust and QBE.13
This represents a broader strategic focus of the World Bank to harness the potential of disruptive technologies for development, evidenced by their June 2017 launch of a Blockchain Innovation Lab to understand the impact of blockchain and other disruptive technologies.
KYC and identity management
Know your customer (KYC) requests cause delays to banking transactions, typically taking days or weeks to complete. Current KYC processes also require duplication of effort between banks and other third-party institutions. The high compliance costs and penalties for not following KYC protocols create significant costs to banks.
HSBC, OCBC Bank, Deutsche Bank, Mitsubishi UFJ Financial Group and the Treasuries of Cargill have formed a consortium to compete a proof of concept for a KYC blockchain.14 The existing KYC process consists of submitting a set of identification documents each time an individual or corporate customer starts a new relationship with a bank. This manual process gives rise to inconsistent information and customer information not being promptly updated.
The KYC blockchain enables structured information to be recoded, assessed and shared across networks with advanced cryptography protecting the data’s integrity. Customers’ information can be encrypted on a shared ledger and validated through reference to government registries, tax authorities and credit bureaus. With customer consent, banks are able to collect, validate and share data with efficiency and accuracy.
In 2015, Nasdaq debuted its blockchain product, Linq, the first major global stock exchange to publically trial blockchain technology. The platform allows the transfer of shares of privately held companies. This demonstrates how asset trading could be managed digitally through the use of blockchain-based platforms. Linq share issuers are able to log in to find a cap-table management dashboard complete with valuation, the share price issued in each investment round and the percentage of stock options available.
Blockchain is not just cryptocurrencies. Blockchain technology is a business improvement software that will become increasingly relevant to all aspects of our lives. Smart contracts will also become increasingly relevant to the practice of law as blockchain technology becomes more widely adopted. Notwithstanding the steep learning curve, readers would be well advised to educate themselves on blockchain and stay abreast of developments.
1Elli Androulaki, et al., Evaluating User Privacy in Bitcoin, FIN. CRYPTOGRAPHY & DATA SECURITY (2013), available at http://eprint.iacr.org/2012/596.pdf