This article first appeared in Crypto News Asia on Mar 18, 2018; and is updated quarterly.


A cryptocurrency is a form of digital asset that works as a medium of exchange, which is created and stored electronically in the blockchain (which is a public transaction database that functions as an electronic distributed ledger or list of entries that is maintained by various participants in a network of computers), and it uses cryptography (a form of encryption technology) to control the creation of monetary units and to verify transactions on the blockchain, thus providing assurance to blockchain users that entries are secure. As cryptocurrency is created on a decentralized network, it operates independently of a central bank, central authority or government.

Bitcoin was the very first decentralized cryptocurrency, created by Satoshi Nakamoto (whose real identity remains a mystery) in 2009. Today, cryptocurrency has become a global phenomenon. As of January 2018, there are more than 1,300 cryptocurrencies available over the Internet. By market capitalization, Bitcoin is the largest blockchain network, followed by Ethereum, Ripple, Bitcoin Cash, Litecoin and NEO.[1]

The rise of cryptocurrencies has led to a new way of fund raising called Initial Coin Offering (ICO), also called Initial Token Offering (ITO) or Token Generation Event (TGE). Since late 2016, ICOs have been gaining its popularity (especially among tech start-ups and Internet companies) and the amount of money raised by start-ups via ICOs has surpassed early stage venture capital funding.[2] In 2017 alone, there were 210 ICOs which collectively have raised US$ 3.8 billion.[3]

What is an ICO?

ICO – a term intentionally coined to mirror Initial Public Offering (IPO), is essentially an alternative form of crowdfunding. Investors can either participate by transferring fiat currencies (real money such as US Dollar) or cryptocurrencies (such as Bitcoin or Ether) to the issuer in exchange for the issuer’s own digital tokens (virtual coins or tokens). Virtual coins or tokens represent a holder’s right of benefit or performance vis-à-vis the issuer and such virtual coins or tokens may be used for payment to the issuing company for its services or products. Unlike a traditional IPO, virtual coins or tokens do not represent an ownership interest or dividend right in a company. In other words, virtual coins or tokens are not equivalent to shares in a company, and virtual coin or token holders are not shareholders of the company.

Similar to IPOs, the issuer can use the funds raised from an ICO to fund development of a digital platform, software or other projects and that the virtual coin or token holders may use the virtual coins or tokens to access the platform, use the software or otherwise participate in the project. Some of these virtual coins or tokens are tradable on cryptocurrency exchanges, which creates a secondary trading market. From the perspective of the regulators, depending on the facts and circumstances of each individual ICO, the virtual coins or tokens that are offered or sold may be securities. If they are securities, the issuers of these virtual coins or tokens must comply with the securities laws.[4]

While ICO may appear as an innovative and appealing way to raise funds, it nonetheless poses certain risks and challenges, particularly to investors. As ICO is carried out entirely over the Internet, the technology that supports the ICO may be susceptible to fraud, glitches, hacking or malware. Due to the nature of its borderless transaction and decentralized network, it creates a lot of challenges to law enforcement authorities when it comes to tracing the flow of money, freezing or securing investor funds that are held in a cryptocurrency wallet, which is often encrypted.

As a result of its exponential growth and the limited investor protection that an ICO offers, ICOs are increasingly being scrutinized by regulators around the world. While there has yet to be an ICO-specific legislation, it does not mean that ICO goes completely unregulated. Regulators are applying existing laws and regulations to ICOs and some progressive regulators are in the process of drafting specific ICO regulatory framework that hopefully will provide guidance and standard on running an ICO and protecting investors and financial markets as a whole.

Regulatory requirements for ICOs vary from country to country and for the purposes of this article, we will focus on the regulatory positions in Southeast Asia, a comparison of which is set out in the table below.

Legal classification of cryptocurrencies and tokens

No country has officially and legally recognized a cryptocurrency as a legal tender/currency, except Japan, which in April 2017, has enacted a law to allow the use of cryptocurrency as a legal method of payment.[5] In fact, Japan has gone even further by approving 15 cryptocurrency exchanges (as of December 2017).[6]

Cryptocurrency can be classified as securities or investment contract depending largely on the jurisdiction of the issuance and the rights associated with the cryptocurrency. If the cryptocurrency is so classified, the securities laws of that jurisdiction will apply to the issuance, trading or otherwise dealing with the cryptocurrency, and the issuers would typically be required to comply with the prospectus filing requirements and all other statutory disclosure obligations.

In July 2017, the US Securities and Exchange Commission (“SEC”), for the first time, issued an investigation report during its investigation into an unincorporated organization called The DAO[7]. The SEC classified The DAO as securities as a result of the application of the oft-cited Howey Test. Under the Howey test, a product is an “investment contract” and therefore a security if it involves (1) the investment of money (2) in a common enterprise with (3) a reasonable expectation of profits which (4) are to be derived from the entrepreneurial or managerial efforts of others.

In December 2017, the SEC applied the same test and halted a fast-moving ICO by the California-based company Munchee Inc that was seeking to raise up to $15 million from thousands of investors ‎to develop an iPhone app for restaurant meal review. Pursuant to its cease-and-desist order dated 11 December 2017[8], the SEC argued that the MUN tokens constitute securities because “they were investment contracts.” The document later notes that the tokens were ultimately deemed a security regardless of their “utility” when the sale took place.

Even if MUN tokens had a practical use at the time of the offering, it would not preclude the token from being a security. Determining whether a transaction involves a security does not turn on labeling – such as characterizing an ICO as involving a ‘utility token’ – but instead requires an assessment of ‘the economic realities underlying a transaction,'” the SEC wrote in the order.

More recently, FINMA, the Switzerland’s independent financial-markets regulator, issued guidelines that outline its view on how tokens created from ICOs are classified. While FINMA noted that there is no generally recognized classification of ICOs and tokens that result from them, either in Switzerland or internationally, FINMA bases its own approach to categorization on the underlying economic function of the tokens. The tokens can be classified as “Payment Token”, “Utility Token” or “Asset Token”. FINMA does not treat Payment Token (means of payment) and Utility Token (rights to access digitally to an application or services) as securities, but categorizes Asset Token (which represent assets such as a debt or equity claim on the issuer) as securities if they represent an uncertificated security and the tokens are standardized and suitable for mass standardized trading.  The individual token classifications are not mutually exclusive. Asset and utility tokens can be classified as payment tokens, which is referred by FINMA as “Hybrid Token” and will be deemed to be both securities and means of payment.

Regulation of ICOs

Regulators around the world are taking different approaches on regulating and controlling ICOs. The most extreme ones are from the People’s Republic of China and South Korea where they have both decided to ban all forms of ICOs as well as any conversion between cryptocurrencies and fiat currencies in September 2017. Other regulators chose to take a wait-and-see approach by simply issuing a warning statement that warns potential investors of the risks in participating in ICOs. As cryptocurrencies and ICOs are becoming more mainstream, we are also seeing more regulators taking a progressive stance by crafting guidance notes to set out the framework and standard for ICOs.

Essentially, these are some of the pertinent legal issues that surround the launching of an ICO, running of a cryptocurrency exchange or trading in cryptocurrency:

Banking and Securities Laws

Regulators and courts examine the substance rather than the form of a cryptocurrency to determine if it is a security. A cryptocurrency will, even if it is labeled as “utility token” or “membership rights”, be deemed as security if it meets the requirements of securities under existing securities laws. The promoters of the cryptocurrency who fail to comply with the securities laws face the risk of criminal and civil prosecution, which often come with jail sentence.

In August 2017, the Monetary Authority of Singapore (“MAS”) issued a Guide to Digital Token Offerings, which states that “issues of digital tokens may be regulated by MAS if the digital tokens are capital markets products under the Securities and Futures Act (Cap 289) (“SFA”). Capital markets products include any securities, futures contracts and contracts or arrangements for purposes of leveraged foreign exchange trading.” MAS defines securities as comprising a share, a debenture, or a unit in a collective investment scheme. MAS will examine the structure and characteristics of, including the rights attached to, a digital token in determining if the digital token is a type of capital markets products under the SFA.

In Malaysia, the Securities Commission and the Central Bank of Malaysia have jointly cautioned the public about ICO schemes which may involve activities that are subject to laws administered by both regulators[9].

Issuers of ICOs should be mindful that the launching of an ICO, the offering of digital tokens in exchange for digital currency or any form of payment and incidental activities thereof, may trigger regulatory requirements under securities laws. In addition, no person is permitted to carry out any regulated activities such as fundraising, fund management and dealing in capital market products without obtaining necessary approval or authorisation from the SC,” they noted.

Further, ICO operators are prohibited from undertaking regulated activities such as deposit taking and banking business, foreign exchange adinistration activities and remittances, without the necessary authorisation under financial services laws administered by the Central Bank of Malaysia.

AML/CFT regulations

Other than banking and securities laws, regulators are extending the applicability of anti-money laundering regulations to cryptocurrencies in 2018. This may cause an obstacle to, if not deteriorate, the degree of anonymity among participants in the cryptocurrency market.

In Feb 2018, the Central Bank of Malaysia has issued the Anti-Money Laundering and Counter Financing of Terrorism (“AML/CFT”) Policy for Digital Currencies (Sector 6), which aims to ensure that effective measures are in place against money laundering and terrorism financing risks associated with the use of digital currencies and to increase the transparency of digital currency activities in Malaysia[10].

In essence, the central bank treats cryptocurrency exchangers as reporting institutions under the AML/KYC regulations, who shall comply with all AML/CFT regulations including conducting know-your-customers (KYC) procedures and verifying their clients’ identity, source of funds or wealth. Persons covered under the policy as reporting institutions are also expected to comply with the provisions of the Companies Act 2016 of Malaysia including the requirement to be incorporated or registered in Malaysia.

Tax regulations – An SEC lawsuit filed against a US-based cryptocurrency exchanges Coinbase revealed that less than 900 taxpayers reported their gains made from Bitcoin trading, even though more than 14,000 Coinbase users have either bought, sold, sent or received at least US$ 20,000 worth of Bitcoin in a given year.[11] As a result, the Internal Revenue Service (IRS) has issued a guidance note describing how existing general tax principles apply to transactions using digital currency. The IRS recognises that digital currency is a digital representation of value that functions as a medium of exchange, a unit of account, and/or a store of value. Virtual currency that has an equivalent value in real currency, or that acts as a substitute for real currency that can be digitally traded between users and can be exchanged into real money, will have tax consequences and anyone who makes profit from such trading[12] is liable for tax.[13]

In January 2018, the Inland Revenue Board of Malaysia (IRB) froze the bank account of London based cryptocurrency exchanger Luno, in an attempt to determine whether Luno has complied with the statutory requirement under the Income Tax Act 1967. The IRB said that all cryptocurrency traders are liable for income accruing in or derived from Malaysia and they must keep proper books of accounting and business records for the purpose of auditing by the relevant law enforcement agencies.[14]

Accounting standard – most accounting standards do not address digital currencies. Hence, there is no guidance or standard on how to report them properly for tax purposes. As a result, some cryptocurrency holders choose not to report at all, while some mark them as “inventory” and issuers report them as a “liability” on their balance sheets. According to a PwC partner, cryptocurrencies do not meet the existing definition of financial asset, because they are:

  • not legal tender;
  • not cash equivalents as their value is exposed to significant change in market value; and
  • not a contractual right to receive either cash or a cash equivalent.

As such, today’s accounting rules would lead to accounting for cryptocurrency either as an intangible asset or inventory, and it would need to be measured at cost (as an inventory) or fair value with movements reflected in profit or loss (as an intangible asset).[15] The accounting rules would need to be amended to accommodate this.

Documentation used in an ICO

By industry practice, every ICO starts with a white paper, very similar to a prospectus, that describes the project, the rights given to investors, the proposed allocation and usage of funds raised from the ICO and the legal disclaimers.

In the US, a Simple Agreement for Future Token (SAFT) framework was developed in October 2017 by attorney Marco Santori and the team behind a pioneering project called Filecoin[16]. SAFT is a broad concept that explains how token issuers could remain on the right side of securities laws when issuing what basically amounts to coupons for tokens at a future date when the platform they are used on is complete.

The SAFT is the commercial instrument used to convey rights in tokens prior to the development of the tokens’ functionality (a.k.a direct token presales). In the U.S., the SAFT itself is a security, so it could be offered in a private placement to accredited investors in compliance with the US securities laws[17]. However, it remains largely uncertain whether the SAFT framework can stand the scrutiny of the US courts.

Even when tokens generated from an ICO are not qualified as securities, the issuers and the promoters must be mindful that the ICOs and whitepapers have to conform to generic anti-fraud and information requirements. Information requirements may apply to the issuer and any other party involved in the sale and marketing of the tokens.

Generally, the white paper and all other transaction documentation relating to the ICO must include all necessary information to permit an average investor to make a reasonable and informed investment decision. The documentation must be accurate and not misleading, comprehensive, transparent and include potential risk factors. Forward-looking statements on future developments must be reasonable. If qualified as general terms and conditions, the terms of the sales documentation must comply with specific local requirements.

While there is currently no established case law available in respect of inaccurate, incomplete or misleading ICO documentation, the promoters must note that any such incidences may lead to fraud prosecution against the promoters of the ICO, which if convicted, often comes with jail terms.

Documentation relating to the investors and their identity and source of funds/wealth must be properly documented and kept to comply with the local AML/CFT regulations.

Jointly written by Edmund Yong (co-founder), Gan Ming Chiek and Edwin Lee (legal advisors) of Celebrus Advisory, a blockchain strategy consulting firm based out of Malaysia with a partner office in Luxembourg. Enquiries can be placed at

[7] SEC, Release No. 81207 / 25 July 2017, available at