Last month, Secretary of the Commonwealth of Massachusetts William Galvin made good on his promise to conduct an exam sweep of ICOs in Massachusetts.  On January 17, the Enforcement Section of the Massachusetts Securities Division brought its first ICO related enforcement action, an administrative complaint against a company called Caviar and its founder Kirill Bensonoff for violations of state securities laws in connection with Caviar’s ICO. The complaint likely portends increased willingness on the part of state securities administrators to bring enforcement actions against ICO sponsors.  It also offers important lessons about how to conduct offshore ICOs so as to minimize the risk of offers and sales being deemed to be made to U.S. residents.

The complaint tells us that Caviar is a Cayman Islands company that has no actual place of business there, operating instead principally in founder Bensonoff’s home in Massachusetts.

The Caviar token offered in the ICO (CAV) was clearly a securities token; no pretense of a utility token here. Proceeds from the ICO were to be pooled and used to finance the acquisition of a portfolio of various cryptocurrencies, and also to finance short term “flips” of residential real estate properties. Purchasers of CAV tokens were told they would receive quarterly dividends equal to their pro rata share of 75% of the combined profits from this pooled investment fund of cryptocurrencies and real estate debt. Basically, Caviar was a virtual hedge fund and its tokens had key attributes of limited partnership or membership interests, i.e., they were securities.

The real interesting issue in this dispute would seem to be whether the offering was properly conducted offshore as intended and thus outside the jurisdiction of Massachusetts’ Securities Division (or any other securities regulators in the U.S.). Caviar’s argument would seem to be that the offering was made offshore and that they employed safeguards to ensure that no offers and sales were made to United States persons. Caviar’s ICO white paper states that United States persons (within the meaning of Rule 902 of Regulation S) are excluded from the offering and are explicitly restricted from purchasing CAV.

Before the complaint was filed, investors apparently had been purchasing CAV by visiting Caviar’s website at www.caviar.io (after the complaint was filed, the site was modified to greet U.S. persons with the following message: “It appears you are accessing caviar.io from United States of America.  Unfortunately, this website is not available in the United States of America.”).  To register for the offering, prospective investors were asked to provide an e-mail address and check two boxes. The first box indicated “Not U.S. person”, and the second box stated that the investor consulted with an experienced lawyer who advised the investor that he or she is eligible to invest. Caviar retained the services of an independent third party to screen out ineligible persons based on internet protocol addresses, i.e., numeric labels assigned to users or devices by internet service providers. If an individual was identified as a potentially prohibited purchaser, he or she would be prompted to upload copies of a government-issued photo identification. In sworn testimony given by Bensonoff before the Securities Division in this matter, he stated that “as far as [he knows], there’s not a single U.S. investor who has contributed.”

In the complaint, the Securities Division asserts that Caviar’s procedures to prevent the sale of CAV to U.S. investors are inadequate because Caviar’s identity verification procedures were relatively easy to circumvent. To prove the point, it had one of its investigators apply to participate in the Caviar ICO using the name of a “popular cartoon character”. The complaint doesn’t identify the cartoon character, perhaps in an effort to protect the Securities Division’s sources (if not its methods). When prompted to upload a photo ID (apparently because the investigator’s IP address indicated he was located in the U.S.), the investigator uploaded a photo of a government-issued photo ID obtained using a Google Image search. But the name, address, and date of birth listed on the submitted ID image didn’t match the personal information provided earlier by the investigator. Nevertheless, the investigator’s identity was “verified,” and the investigator was approved to participate in the Caviar ICO.

The complaint brought by the Massachusetts Securities Division offers some useful lessons for properly conducting an offshore ICO.  First, investor check-the-box self-certification will not suffice in the absence of effective verification measures by the sponsor to screen out ineligible persons. Second, inasmuch as it’s possible to identify applicants’ approximate geolocation based on internet protocol addresses, offshore ICO sponsors should carefully monitor the IP addresses of online investor applicants. Third, all applicants should be prompted to upload a copy of a government-issued photo ID, which should be carefully checked by the sponsor (either directly or through independent third parties) against other personal information provided by the investor.  Fourth, any attempt emanating from a U.S. IP address to open a link to an offshore ICO site should be directed to an alternate dead-end page that states nothing more than that the person seeking access appears to be in the U.S. and that the website is not available in the U.S.  Finally, a sponsor’s culpability will not be mitigated by lack of actual knowledge of any U.S. person purchases.

December 11, 2017 was a day of reckoning for entrepreneurs conducting or contemplating initial coin offerings, and for securities professionals who advise them.  First, a company selling digital tokens to investors to raise capital for its blockchain-based food review service abandoned its initial coin offering after being “contacted” by the Securities and Exchange Commission, and agreed to a cease-and-desist order in which the SEC found that its ICO constituted an unregistered offer and sale of securities. On the same day, SEC Chairman Jay Clayton issued a “Statement on Cryptocurrencies and Initial Coin Offerings”, warning “Main Street” investors and market professionals about investing and participating in ICOs, and reiterated the SEC’s determination to apply the securities laws to transactions in digital tokens. These two actions are the latest in a series of steps by the SEC to send a clear message that it intends generally to enforce the securities laws with respect to ICOs that emphasize the profit potential of tokens where such profit derives from the efforts of the entrepreneurs of the underlying project.

Cease and Desist Order

Munchee Inc. is a California-based company that developed an iPhone app for people to review restaurant meals. In October and November 2017, Munchee offered and then sold digital tokens it called “MUN” to be issued on a blockchain, seeking to raise approximately $15 million to improve the app and recruit users to eventually buy ads, write reviews, sell food and conduct other transactions using MUN. On or about October 31, 2017, Munchee started selling the MUN tokens. The next day, Munchee was “contacted” by the SEC staff, probably threatening cease and desist proceedings. The message was communicated loud and clear, because within hours Munchee stopped selling MUN tokens and promptly returned to purchasers the proceeds that it had already received. In anticipation of the institution of cease and desist proceedings, Munchee submitted an offer of settlement and consented to entry of the cease-and-desist order.

Despite Munchee holding itself out as offering a utility token that is not a security, the SEC’s position was that the MUN token was a security because the totality of Munchee’s efforts relating to the ICO resulted in a purchasers’ reasonable expectation of profits from the entrepreneurial efforts of Munchee’s management team. Interestingly, Munchee’s white paper included a three page legal disclaimer stating that it conducted a Howey analysis with the assistance of counsel and concluded that its MUN utility token didn’t pose a “significant risk of implicating federal securities laws”. As the order notes, however, the white paper did not set forth the actual analysis.

The SEC’s case that Munchee’s ICO of MUN tokens was a securities offering rests largely on the following arguments:

  • Token purchasers were led to believe that efforts by Munchee would result in an increase in value of the tokens.
  • Increase in value of the MUN tokens would occur whether or not purchasers ever used the Munchee restaurant app or otherwise participated in the MUN “ecosystem”.
  • Munchee emphasized it would take steps to create and support a secondary market for the tokens.
  • Promotional efforts included blatant predictions of increase in value of the token.
  • The ICO targeted digital asset investors, as opposed to targeting current users of the Munchee app or restaurant owners regarding the utility of the tokens.
  • ICO was promoted in worldwide publications, despite the app only being available in the United States.
  • Munchee paid people to translate offering documents into multiple languages, presumably to reach potential investors in other countries where the Munchee app was unavailable.

The order asserts that in the course of the ICO, Munchie and its promoters emphasized that investors could expect that there would be an increase in value of the MUN tokens resulting from efforts by Munchie, including paying users in MUN tokens for writing food reviews, selling both advertising to restaurants and “in-app” purchases to app users in exchange for MUN tokens, and working with restaurant owners so diners could buy food with MUN tokens and so that restaurant owners could reward app users in MUN tokens.

Munchee also emphasized in the ICO that it would take steps to create and support a secondary market for its tokens, including potentially burning (i.e., taking out of circulation) a small fraction of MUN tokens whenever a restaurant pays Munchee an advertising fee and buying or selling MUN tokens using its retained holdings in order to ensure there was a liquid secondary market for MUN tokens.

The SEC chose not to impose a civil penalty here, largely because of the remedial acts promptly undertaken by Munchee and the cooperation it afforded to the SEC staff.  Instead, the SEC ordered Munchee to cease and desist from committing or causing any violations and any future violations of Sections 5(a) and (c) of the Securities Act.  This is no slap on the wrist, however, inasmuch as it disqualifies Munchee from engaging in the next five years in an offering exempt under Regulation A or Rule 506 of Regulation D, the two likely securities exemptions for ICOs.

Chairman Clayton’s Statement

On the same day as the Munchee cease-and-desist order, SEC Chairman Jay Clayton issued a “Statement on Cryptocurrencies and Initial Coin Offerings” directed principally at “Main Street” investors and market professionals (including broker-dealers, investment advisers, exchanges, lawyers and accountants). The Statement asserts that in the aftermath of the SEC’s July 2017 investigative report applying securities law principles to demonstrate that the DAO token constituted an investment contract and therefore was a security, certain market professionals had attempted to highlight utility characteristics of their proposed tokens in an effort to claim that the tokens were not securities. “Many of these assertions appear to elevate form over substance”, Chairman Clayton noted, and that “replacing a traditional corporate interest recorded in a central ledger with an enterprise interest recorded through a blockchain entry on a distributed ledger may change the form of the transaction, but it does not change the substance”.

Particularly chilling for me as a securities lawyer was the following admonition by Chairman Clayton:

“On this and other points where the application of expertise and judgment is expected, I believe that gatekeepers and others, including securities lawyers, accountants and consultants, need to focus on their responsibilities. I urge you to be guided by the principal motivation for our registration, offering process and disclosure requirements: investor protection and, in particular, the protection of our Main Street investors” (bold appears in original Statement).”

In the Statement, Chairman Clayton presents interesting hypothetical contrasting business models for the distribution of books to illustrate the difference between a utility token and a securities token. An example of what would be characterized as a utility token that’s not a security would be a book-of the-month club selling tokens representing participation interests in the club as simply an efficient way for the club’s operators to fund the future acquisition of books and facilitate the distribution of those books to token holders. In contrast are interests in a yet-to-be-built publishing house where the token purchasers have a reasonable expectation of profit through the entrepreneurial efforts of the founders to organize the publisher’s authors, books and distribution networks. Chairman Clayton added that an additional circumstance contributing to a conclusion that a utility token is a security would be when promoters tout the secondary market trading potential of their tokens and the potential for the tokens to increase in value, which are “key hallmarks of a security and a securities offering”.

There should be no doubt about the seriousness with which Chairman Clayton is approaching the issue.  Toward the end of the Statement, he states that he has “asked the SEC’s Division of Enforcement to continue to police this area vigorously and recommend enforcement actions against those that conduct initial coin offerings in violation of the federal securities laws”.

Bloomberg reported on October 16 that over $3 billion dollars have been raised in over 200 initial coin offerings so far this year. It remains to be seen whether the pace of ICOs will slow down in the face of regulatory headwinds such as the outright ICO bans in China and South Korea. Here in the United States, the Securities and Exchange Commission has been sounding alarm bells. On July 25, the SEC’s Division of Enforcement issued a Report of Investigation finding that tokens offered and sold by a virtual organization known as “The DAO” were securities and therefore subject to the federal securities laws. I blogged about it here. On the same day the SEC issued the report, its Office of Investor Education and Advocacy issued an investor bulletin to make investors aware of potential risks of participating in ICOs.  Then on September 29, it charged a businessman and two companies with defrauding investors in a pair of ICOs purportedly backed by investments in real estate and diamonds. And on November 1, it issued a “Statement on Potentially Unlawful Promotion of Initial Coin Offerings and Other Investments by Celebrities and Others”, warning that any celebrity or other individual who promotes a virtual token or coin that is a security must disclose the nature, scope, and amount of compensation received in exchange for the promotion.

Needless to say, the days of ICOs flying below the SEC’s radar are over, and developers conducting token sales to fund the development of a network need to be aware of the securities law implications of the sale.  In its Report of Investigation, the SEC made clear (what most of us suspected all along) that the traditional Howey test for determining whether a funding mechanism is an ”investment contract” and thus a “security” applies to blockchain based tokens. I won’t go into a deep dive here. For those wanting to jump into the weeds, Debevoise has done a pretty good job on this. But the basic test under Howey is that an agreement constitutes an investment contract that meets the definition of a “security” if there is (i) an investment of money, (ii) in a common enterprise, (iii) with an expectation of profits, (iv) solely from the efforts of others.

It’s useful to consider that blockchain tokens fall generally into two broad categories. “Securities tokens” are basically like shares in a corporation or membership interests in a limited liability company where the purchaser receives an economic right to a proportional share of distributions from profits or a sale of the company. On the other hand, “utility tokens” don’t purport to offer purchasers an interest or share in the seller entity itself but rather access to the product or service the seller is developing or has developed. Unfortunately, there exists virtually no SEC or case law guidance on securities law aspects of utility tokens. The token at issue in the SEC’s investigative report on The DAO was a securities token. The DAO was a smart contract on the Ethereum blockchain that operated like a virtual venture fund. Purchasers would share in profits from the DAO’s investments and so the tokens were like limited partnership interests.

The question of whether utility tokens are securities may turn on whether the blockchain network for which the tokens will function is fully functional or still in development, and an interesting debate has emerged as to whether there should be a bright line test on that basis.

One side of the debate, advanced by Cooley (Marco Santori) and Protocol Labs (Juan Batiz-Benet and Jesse Clayburgh), is that purchasers of utility tokens prior to network launch and before genuine utility necessarily rely on the managerial and technical efforts of the developers to realize value from their tokens. Accordingly, agreements for the sale of pre-functional tokens meet the “expectation of profit” and “through the efforts of others” prongs of Howey and should be characterized as securities. On the other hand, fully functional utility tokens should not be considered securities because they fail the “through the efforts of others” prong of Howey and maybe even the “expectation of profit” prong.  Purchasers of fully functional tokens are likely to be people seeking access to the seller’s network as consumers or app developers with any expectation of profit from appreciation of the tokens being a secondary motivation, so the expectation of profit prong of Howey fails as to those purchasers. The same conclusion should apply even as to the other type of purchaser who is motivated primarily by the prospect of a token resale for profit because the profit that is hoped for is not expected to come through the managerial or entrepreneurial efforts of the developers, but rather through the many different independent forces that drive supply and demand for the tokens. There is a line of cases involving contracts for the purchase of commodities holding that they are not securities because the expectation of profit was solely from fluctuations in the secondary market, and not from any efforts on the part of the producer. Fully functional tokens are analogous to commodities in that the token developers have completed development of the network, and so there should not be any expectation that profit will result from any further efforts by the seller.

On the other side of the debate is Debevoise, which advocates for a facts and circumstances approach, rejects the bright line test of whether or not a utility token is fully functional and offers several arguments. The determination of whether an agreement is an investment contract and thus a security has long been based upon a facts and circumstances analysis. A blockchain token is not a homogenous asset class; a token could be a digital representation of an equity or debt security but it could also represent things like hospital records or a person’s identity, and that particular character of the token is unaffected by whether the network is or is not fully functional. Also, there is an implicit recognition in the JOBS Act that pre-order sales on non-equity crowdfunding sites like Kickstarter and Indiegogo are not sales of securities, and that pre-functional utility token sales should be analyzed the same way.  It also questions whether agreements by a mature company to presell a new product in development would automatically be deemed an investment contract. Finally, there’s the difficulty of determining when exactly a token is fully-functional given the complexity of software and network development.

Seems to me that the arguments on both sides of the utility token debate have merit.  I do think there’s a distinction, though, between pre-order sales of product by a mature company and a sale of pre-functional tokens, in that the tokens most likely can be sold on a secondary market, with any profit likely resulting from the entrepreneurial efforts of the developer.  I also think that until we have guidance from the SEC and/or judicial opinions on the issue, the better approach is to treat clearly pre-functional tokens as investment contracts and conduct their sale under an exemption from registration.