Module 3: Legal & Regulatory Framework

MiCA creates three main categories: Asset-Referenced Tokens (ARTs), E-Money Tokens (EMTs), and other crypto-assets (including utility tokens and Bitcoin/Ethereum).

The CFTC has declared Bitcoin and Ethereum to be commodities, giving it jurisdiction over crypto derivatives and spot market fraud cases.

MiCA grants passporting rights - a CASP authorized in any EU member state can provide services across all 27 member states without additional authorization.

The New York BitLicense was introduced in 2015, making it one of the first comprehensive state-level crypto regulatory frameworks in the US.

Singapore regulates crypto primarily through the Payment Services Act 2019 (as amended), which creates a licensing framework for Digital Payment Token (DPT) services.

IAMAI v. RBI (2020) struck down the RBI circular prohibiting banks from dealing with crypto entities, finding it disproportionate under the proportionality test.

Section 115BBH imposes a 30% flat tax rate on VDA gains, with no distinction between short-term and long-term, and no slab benefit.

Section 194S requires 1% TDS on the consideration paid for VDA transfers when the aggregate value exceeds the threshold.

Under Section 115BBH, crypto losses cannot be set off against any income (including other crypto gains) and cannot be carried forward.

The March 2023 Ministry of Finance notification amended PMLA to include Virtual Digital Asset Service Providers as reporting entities requiring FIU-IND registration.

SEC v. W.J. Howey Co. (1946) involved the sale of orange grove parcels with service contracts. The Court established the investment contract test still used today.

The Howey Test has four prongs: (1) Investment of money, (2) Common enterprise, (3) Expectation of profits, (4) From efforts of others.

Hinman stated that if a network is sufficiently decentralized, purchasers would no longer reasonably expect essential efforts from a promoter, potentially negating the security classification.

The DAO Report (2017) was the SEC's first major statement, declaring that DAO tokens were securities and establishing Howey Test application to crypto.

The 2023 ruling found that institutional sales were securities, but programmatic sales on exchanges to blind buyers were not securities, as buyers didn't know who they were buying from.

A SAFT is itself a security (investment contract), though the tokens delivered upon network launch may be utility tokens if the network is functional at delivery.

FATF Recommendation 16 is known as the Travel Rule, requiring VASPs to collect, hold, and transmit originator and beneficiary information for VA transfers.

VASP stands for Virtual Asset Service Provider, as defined by FATF to include exchanges, custodians, and other crypto service businesses.

Travel Rule requires name, wallet address, and physical address (or national ID/customer number), but social security number is not specifically required.

Tipping-off - informing a customer that an STR has been filed - is a criminal offense in most jurisdictions.

OFAC has designated specific cryptocurrency wallet addresses associated with ransomware and sanctioned parties. VASPs must screen transaction addresses against these lists.

Chainalysis is the market leader in blockchain analytics for AML compliance, offering KYT (Know Your Transaction) for real-time monitoring.

EU authorities have indicated that wallet addresses should be treated as personal data since they can often be linked to identities through exchanges or on-chain analysis.

GDPR Article 17 provides for the right to erasure (also known as the "right to be forgotten"), which conflicts with blockchain immutability.

The best practice is to store personal data off-chain (where it can be deleted) with only hashes or references stored on the blockchain.

The Digital Personal Data Protection Act (DPDPA) 2023 was enacted in August 2023, creating India's first comprehensive data protection framework.

Zero-knowledge proofs allow proving facts about data without revealing the data itself - for example, proving someone is over 18 without revealing their birthdate.

Under DPDPA, a Data Fiduciary is equivalent to GDPR's data controller - the entity that determines purposes and means of processing personal data.

Substance over form - regulators look at economic realities, not labels. Calling something a "utility token" doesn't prevent it from being classified as a security.

A SAFT converts to tokens upon a Network Launch Event - when the network becomes functional and tokens can serve their utility purpose.

"Code is law" means the smart contract code is the definitive agreement - if code and legal terms conflict, the code controls.

Token agreements should include comprehensive risk disclosures covering technology, regulatory, market, project, and security risks. Never guarantee prices, profits, or returns.

The UK FCA's financial promotions regime for crypto came into effect in October 2023, requiring approval of promotions and mandatory risk warnings.

RBI launched the Digital Rupee retail pilot in December 2022, following the wholesale pilot in November 2022.

Under Swiss FINMA's three-category system, asset tokens (representing assets, earnings, or equity) are treated as securities requiring a prospectus.

VASPs must typically retain customer records for 5 years after the relationship ends, in line with FATF recommendations and most national AML laws.

Enhanced Due Diligence is required for high-risk customers including PEPs, customers from high-risk jurisdictions, and complex corporate structures.

The fundamental tension is between blockchain's immutability (data cannot be altered) and data protection laws' right to erasure (individuals can demand deletion).

Crypto-shredding (or encryption key destruction) renders encrypted data permanently inaccessible - a potential method for satisfying erasure requirements on immutable blockchains.

Arbitration is preferred for international disputes due to neutral forum selection and enforceability under the New York Convention across 160+ countries.

MiCA's stablecoin rules (ART and EMT provisions) became effective in June 2024, with full MiCA application in December 2024.

The Court found the circular disproportionate under the proportionality test - it had the effect of killing the industry without demonstrated actual harm to regulated entities.

The fourth Howey prong asks whether expected profits derive from the managerial or entrepreneurial efforts of others (the promoter or third party).

FATF stands for Financial Action Task Force, the intergovernmental body that sets global AML/CFT standards.

A DPIA is required when processing is likely to result in high risk to individuals, including use of new technologies like blockchain where risk is unclear.

Class action waivers require disputes to be brought individually, preventing plaintiffs from joining together in class action lawsuits against the company.

Wyoming created the SPDI charter, offering a crypto-friendly bank charter that allows custody of digital assets.

SEC no-action letters (TurnKey Jet, Pocketful of Quarters) were for tokens with immediate utility and functional networks at launch, with no profit expectations.

Unhosted (self-custody) wallets have no VASP to receive transmitted information, making Travel Rule compliance challenging for transfers to/from these wallets.

A severability clause ensures that if one provision is found unenforceable, the rest of the agreement survives and remains valid.