Regulatory risk refers to the risk that a change to the laws or regulations will hurt a business by affecting that business, sector, or market.
Change can be the result of:
- a previously unregulated activity being regulated, or
- new rules being applied to a previously-regulated activity.
Rating agencies were not regulated until recently. Every financial crisis engenders new rules on market participants.
A less frequently acknowledged regulatory risk is uncertainty, the result of:
- 1.lack of clarity,
- 2.arbitrary enforcement, and
- 3.new activities or business structures.
Lack of clarity can be the result of:
- 1.time, e.g., a law hasn't yet been interpreted by a regulatory body,
- 2.precedent, e.g., the law has been interpreted, but not in a way that applies to a particular case,
- 3.error, e.g., the interpretation is self-contradictory, or
- 4.conflict, e.g., multiple regulators interpret different laws and apply incompatible interpretations to the same case.
Every regulated business needs to deal with lack of clarity, but the problem is particularly acute in the crypto space because traditional definitions are sometimes difficult to apply to new structures. The SEC, for example, has still not defined when a token is a security.
Financial regulators have evolved to manage a small number of large firms. At this stage the crypto financial landscape is made up of a few medium-sized firms and thousands of smaller companies or DAOs. No regulator has the capacity to even understand what is going on throughout the ecosystem.
As a result, regulatory punishment aims to make examples of a small number of firms. For example, in 2017 the SEC effectively put an end to ICOs by punishing a few ICO "winners" out of existence. Plenty of projects that had raised funding via ICOs were not punished and survive to this day, but ICOs stopped attracting investor money. Arbitrary – or selective – enforcement achieved its goal.
Today, thousands of firms have pre-sold utility and governance tokens. The SEC Chair has already announced that he believes most if not all of those tokens are securities that should have been registered before being sold. We can expect the SEC to arbitrary punish many firms, but this is less likely to kill funding via token sales as the industry has learned from 2017.
Sometimes businesses throw regulators a curve ball by introducing products without historical precedent or by structuring themselves to make regulatory oversight difficult.
Flash loans, for example, have no equivalent in traditional finance. The potential harm caused by this new capability needs to be understood and measured before regulators can even decide what rules, if any, should be applied.
DAOs are potentially troublesome from a regulator's perspective. DAOs are businesses whose activities are mediated by code that may be written and released by anonymous actors. Without a recognized legal entity or individuals, a regulator cannot even start a conversation.
Every jurisdiction is a unique regulatory environment. The regulatory reach of any jurisdiction depends on how regulators think about ownership and control.
Some jurisdictions use the nationality or residence of shareholders to determine whether or not they have regulatory authority over a company. (Note, however, that ownership is more likely a corporate tax issue than a regulatory issue.)
Some jurisdictions use the nationality or residence of directors (corporate officers) to determine whether or not they have regulatory authority over a company.
Traditional firms – until they become multi-national – tend to have very simple jurisdictional considerations. A company incorporated in country X, with its head office in country X, and country X nationals serving as directors is the norm. Very clearly this company will be subject to country X's regulations.
Crypto firms tend to not be very traditional. Crypto is a global phenomenon. Projects are often run by teams with multiple nationalities and multiple residences. Often projects do no have a head office. As a result, regulators in several jurisdictions may try to exert control over these entities.
Jurisdiction shopping, i.e., establishing a company in a favorable jurisdiction or moving from a less favorable to a more favorable jurisdiction is common practice in crypto. This is, however, a short-term solution as jurisdictional arbitrate tends to become more difficult. Engaging with regulators and working towards uniform regulations is likely a better strategy.
In crypto we have three different types of project structures:
Traditional corporate structures are well understood. From a regulatory perspective, obligations and enforcement parameters are clear.
A lot of crypto work is done in the open by a group of individuals who have agreed to collaborate without the use of a corporate umbrella. The maintainers of Bitcoin are a good example of an affiliation that has produced and maintained significant software for over a decade without a corporation.
Regulatory pressure on these affiliations depends on the individuals.
If their identity is know, the citizenship and residence of these individuals matter as they can be used by called, fined, and even jailed by regulatory action.
If their identity is not know – which is becoming more and more common –regulators have a much more difficult job since they need to discover identities before moving forward with any action.
Decentralized Autonomous Organizations (DAOs) are a relatively new type of organization in which governance is exercised by the DAOs token holders (most if not all of whom are anonymous), mediated by smart contracts (software).
When DAOs are first create, they tend to be run by a small team of people. These founders (contributors) may organize via a corporation, foundation or affiliation. These founders may or may not be anonymous. Over time, the number of contributors grows (if all goes well!) and an initial legal entity may be dissolved.
Given this evolutionary pattern, it is clear that the regulators' ability to regulate a DAO changes over time. Early on, a corporation or individuals can be fined. Later, this become more difficult.