Crypto-assets

This is Information Sheet 225 (INFO 225). It will help you to understand your obligations under the Corporations Act 2001 (Corporations Act) and the Australian Securities and Investments Commission Act 2001 (ASIC Act) if:

  • your business is involved with crypto-assets such as cryptocurrency, tokens or stablecoins, whether there are elements that are decentralised or not
  • you are considering raising funds through an initial coin offering (ICO).

The reference to an ICO in this information sheet includes any other form or method of distributing new crypto-assets (irrespective of what it is called). INFO 225 also refers to the Australian Consumer Law. However, it does not cover Australian legislation administered by other regulators who oversee crypto-assets – such as the Australian Transaction Reports and Analysis Centre (AUSTRAC) and the Australian Taxation Office (ATO). 

This information sheet answers the following questions:

For a discussion of distributed ledger technology see Information Sheet 219 Evaluating distributed ledger technology (INFO 219).

This information sheet will help you to understand your obligations under the Corporations Act and ASIC Act. Australian laws apply where the crypto-asset is promoted or sold in Australia, including from offshore. The use of offshore or decentralised structures does not mean that key obligations under Australian laws do not apply or can be ignored. We encourage entities to use their innovative technology to build their products and services in a way that complies with the intention of the laws in place to safeguard consumers and the integrity of financial markets in Australia.  

Figure 1 provides high-level regulatory signposts for crypto-asset participants as a starting point.

Figure 1: Regulatory signposts for crypto-asset participants

Issuers of crypto-assets (e.g. tokens)

Hand with money iconIf you are issuing crypto-assets that fall within the definition of a ‘financial product’, Australian laws apply, including the requirement to hold an Australian financial services (AFS) licence: see Part C and for more information Regulatory Guide 1 AFS Licensing Kit: Part 1 – Applying for and varying an AFS licence (RG 1). 

Crypto-asset intermediaries

People iconIf you are giving advice, dealing, providing insurance, or providing other intermediary services for crypto-assets that are financial products a range of Australian laws apply, including the requirement to hold an AFS licence: see Part C and for more information Regulatory Guide 36 Licensing: Financial product advice and dealing (RG 36). 

Miners and transaction processors

Crossed arrows iconWhere miners and transaction processors are part of the clearing and settlement (CS) process for tokens that are financial products Australian laws apply: see Regulatory Guide 211 Clearing and settlement facilities: Australian and overseas operators (RG 211).

Crypto-asset exchange and trading platforms

Chart iconIf you are operating a market for crypto-assets that are financial products, a range of Australian laws apply, including the requirement to hold an Australian market licence: see Part D and for more information Regulatory Guide 172 Financial markets: Domestic and overseas operators (RG 172). Depending on how transactions in crypto-assets that are financial products are cleared and/or settled, you may also be operating a clearing and settlement facility and require a clearing and settlement facility licence: see RG 211.

Crypto-asset investment products

If you are operating an investment product that offers investors exposure to crypto-assets, a range of Australian laws may apply: see Part C and Part E

Crypto-asset payment and merchant service providers

Money icon If the payment service involves a ‘non-cash payment facility’ a range of Australian laws apply, including the requirement to hold an AFS licence: see Part C and for more information Regulatory Guide 185 Non-cash payment facilities (RG 185).

Wallet providers and custody service providers

Computer iconIf tokens stored by your business fall within the definition of a ‘financial product’, you need to ensure you hold the appropriate custodial and depository authorisations: see RG 1.

Consumers

People talking money iconIf you are an individual or institution interested in acquiring crypto-assets or participating in ICOs, be mindful of both the risks and opportunities that are present. You can read information and warnings about ICOs on our MoneySmart website.

Cross iconYou must not engage in misleading or deceptive conduct in the course of your business whether a financial product is involved or not: see Part B.

Tick iconEntities offering crypto-assets, or crypto-asset-related products, need to undertake appropriate inquiries to ensure they comply with all relevant Australian laws .

Part A: What should you consider when offering crypto-assets?

This part provides a non-exhaustive list of items to consider when offering crypto-assets, whether this is through an ICO or through other means.

Is the crypto-asset a financial product (or does it involve a financial product)?

Entities and their advisers need to consider all the rights and features of the proposed crypto-asset, as well as the way in which it will be offered. This analysis is critical to determining whether the crypto-asset is a financial product or involves a financial product. The conclusions of an analysis of the rights and features of the asset is more important than how it is named and marketed (e.g. as an ICO).

Our experience suggests that ICOs by their nature seek to raise capital from the public to fund a particular project through the issue of crypto-assets such as tokens. If the crypto-asset issued by the ICO is a financial product (such as an interest in a managed investment scheme or a security), the issuer will need to comply with the relevant capital raising provisions of the Corporations Act, AFS licensing requirements and other regulatory requirements. These regulatory requirements are in place to maintain the integrity of Australia’s financial market and ensure consumers are protected. 

For more information to help you in answering this question see Parts C, D and E.

If you do not consider your crypto-asset to be a financial product, can you substantiate your conclusion?

Entities should be prepared to justify a conclusion that their crypto-asset and the means of offering the crypto-asset, for example the ICO, does not involve a regulated financial product. 

Entities are expected to know who their investors are to justify a conclusion that exemptions under the Corporations Act for ‘wholesale’ or ‘sophisticated’ investors versus retail investors apply to the offering.

Are you complying with all relevant Australian laws on an ongoing basis?

Entities need to ensure that they comply with all the relevant Australian laws. This includes ensuring that all the information they provide to consumers, regardless of the media they use, complies with relevant laws including the Corporations Act, ASIC Act and the Australian Consumer Law, as well as anti-money laundering (AML) and know your client (KYC) obligations. 

Whether or not a financial product is involved, promoters must always ensure that the ICO does not involve misleading or deceptive conduct or statements. Entities can do so by seeking professional advice (including legal advice) on all the facts and circumstances of the issue or sale of the ICO, not just a part of the sale.

As the design of the crypto-asset or ICO can change over the course of the product development life cycle, entities are expected to seek professional advice and ensure ongoing compliance with the law. For example, it is particularly important to ensure that ongoing disclosures are kept up to date – failure to do so will increase the risk that the offer of the ICO, the ongoing issue of the crypto-asset and/or the information the issuer has provided about the ICO or crypto-asset could mislead or deceive consumers. See Part B for more information about what misleading or deceptive conduct is in relation to an ICO or crypto-asset.

Examples of other general Corporations Act requirements that will often apply include an officer’s duty to act in the best interests of a corporation or discharge their duties for a proper purpose.

Part B: What is misleading or deceptive conduct in relation to a crypto-asset or an ICO?

This part discusses when laws prohibiting misleading or deceptive conduct, or the Corporations Act, would apply to a crypto-asset or an ICO.

Misleading or deceptive conduct

Australian law prohibits misleading or deceptive conduct in a range of circumstances, including in trade or commerce, in connection with financial services, and in relation to a financial product. Australian laws and regulations that prohibit misleading or deceptive conduct may apply even if an interest in a crypto-asset or an ICO is issued, traded or sold offshore. It is a serious breach of Australian law to engage in misleading or deceptive conduct.

Care should be taken to ensure that promotional communications about a crypto-asset or an ICO do not mislead or deceive potential consumers and do not contain false information. 

Crypto-assets and ICOs that are not financial products

For crypto-assets and ICOs that are not financial products, the same prohibitions against misleading or deceptive conduct apply under the Australian Consumer Law. The Australian Competition and Consumer Commission (ACCC)’s Advertising and selling guide provides guidance on how to ensure advertising complies with the Australian Consumer Law.

Conduct that may be misleading or deceptive to consumers can include:

  • stating or conveying the impression that the crypto-assets (such as coins or tokens) or ICO offered are not a financial product if that is not the case
  • stating or conveying the impression that a crypto-asset trading platform does not quote or trade financial products if that is not the case
  • using social media to generate the appearance of a greater level of public interest in a crypto-asset or ICO
  • undertaking or arranging for a group to engage in trading strategies to generate the appearance of a greater level of buying and selling activity for an ICO or crypto-asset
  • failing to disclose adequate information about the ICO or crypto-asset, or
  • suggesting that the ICO or crypto-asset is a regulated product or the regulator has approved the ICO or crypto-asset if that is not the case.

We have been delegated powers from the ACCC to, in coordination with the ACCC, respond to potentially misleading or deceptive conduct relating to crypto-assets which affect Australian consumers.

Crypto-assets and ICOs that are financial products

For crypto-assets and ICOs that are financial products, the ASIC Act and the Corporations Act include prohibitions against misleading or deceptive conduct.

Regulatory Guide 234 Advertising financial products and services (including credit): Good practice guidance (RG 234) contains guidance to help businesses comply with their legal obligations not to make false or misleading statements or engage in misleading or deceptive conduct.

What is the relationship between ICOs and crowd-sourced funding?

ICOs are sometimes referred to by industry as a form of crowd funding. Crowd funding using an ICO is not the same as ‘crowd-sourced funding’ (CSF) regulated by the Corporations Act. Care should be taken to ensure the public is not misled about the application of the CSF laws to an ICO. There are specific laws for the CSF regime which reduce the regulatory requirements for public fundraising while maintaining appropriate investor protection measures.

CSF intermediaries operate a platform through which start-ups and small businesses can raise up to $5 million. The capital is generally raised from a large number of consumers who invest small amounts of money in return for the issue of shares. Under the Corporations Act, acting as a CSF intermediary is a ‘financial service’ and specific laws apply to both the CSF intermediary as well as the companies seeking to make offers through the platform.

The laws require that a provider of CSF services must hold an AFS licence with authorisation to provide this service. This is not an exhaustive discussion of all the relevant Australian laws that apply in relation to providing CSF. It is the responsibility of the entities involved to ensure they comply with all relevant Australian laws.

Part C: When could a crypto-asset or an ICO be or involve a financial product?

This part considers types of crypto-assets and ICO offers made available to consumers in Australia and whether the Corporations Act might apply to them. It answers the following questions:

The Corporations Act is likely to apply to a crypto-asset or an ICO that involves a financial product such as a managed investment scheme, security, derivative or non-cash payment (NCP) facility. This part discusses each of these financial products. Our experience suggests that some crypto-assets and many ICOs may be, or involve, interests in a managed investment scheme.

Rights attached to crypto-assets

The rights attached to crypto-assets, such as those issued under an ICO, are a key consideration in assessing their legal status as a financial product. These rights are generally described in the crypto-asset’s ‘white paper’, an offer document issued by the business making the offer or sale of a crypto-asset. Rights may also be determined from other circumstances (e.g. how the crypto-asset is marketed to investors). What is a ‘right’ should be interpreted broadly. Rights that may arise in the future or on a contingency, and rights that are not legally enforceable, are included.

When could a crypto-asset or an ICO be, or involve, interests in a managed investment scheme? 

What is a managed investment scheme?

A managed investment scheme is a form of collective investment vehicle. It is defined in the Corporations Act and has three elements:

  • people contribute money or assets (such as cryptocurrency or other crypto-assets) to obtain an interest in the scheme (subject to limited exceptions, ‘interests’ in a scheme are generally a type of ‘financial product’ and are regulated by the Corporations Act)
  • any of the contributions are pooled or used in a common enterprise to produce financial benefits or interests in property (e.g. using funds raised from contributors to develop the platform), for purposes that include producing a financial benefit for contributors (e.g. from an increase in the value of their tokens), and
  • the contributors do not have day-to-day control over the operation of the scheme but, at times, may have voting rights or similar rights.

Application to crypto-assets and ICOs

As noted above, what is a ‘right’ should be interpreted broadly. If the rights and value of the crypto-asset are related to an arrangement with the three elements described above, the crypto-asset issuer is likely to be offering interests in a managed investment scheme.

In some cases, crypto-asset or ICO issuers may frame the entitlements received by contributors as a receipt for a purchased service. If the value of the crypto-assets acquired is affected by the pooling of funds from contributors, or the use of those funds under the arrangement, then the crypto-asset is likely to involve a managed investment scheme. This is particularly the case when the crypto-asset or ICO is offered as an investment. Figure 2 can help in identifying whether a crypto-asset or ICO is, or involves, a managed investment scheme.

Figure 2: Is the crypto-asset or ICO a managed investment scheme?

Flow chart

Australian laws apply

If an issuer of a crypto-asset is operating a managed investment scheme offered to retail investors they will need to:

  • register the scheme with ASIC
  • establish a constitution and compliance plan
  • obtain an AFS licence to act as a responsible entity, and
  • prepare and issue a compliant product disclosure statement (PDS), and comply with other disclosure obligations.

See Part E for more information about obligations and good practices for retail managed investment schemes. 

If an issuer of a crypto-asset is operating a wholesale managed investment scheme they may need to obtain an AFS licence with the appropriate authorisations and must have a robust process to ensure that only wholesale clients invest in the managed investment scheme.

It is not permissible for the issuer, as trustee of the wholesale managed investment scheme, to rely on a corporate authorised representative appointment from another AFS licensee in order to issue interests in the scheme – as the issuer would not be ‘acting on behalf’ of the AFS licensee but rather issuing interests in the wholesale scheme as trustee in its own right: see Information Sheet 251 AFS licensing requirement for trustees of unregistered managed investment schemes (INFO 251). In addition, the issuer as trustee must ensure that any ‘white paper’, ‘lite paper’ or other promotional document issued in connection with the ICO or crypto-asset does not include any misleading or deceptive statements – otherwise, investors who suffer loss or damage may be able to recover that loss or damage.

This is not an exhaustive discussion of all the relevant Australian laws that apply in relation to a managed investment scheme. It is the responsibility of the entities involved to ensure they comply with all relevant Australian laws.

If the scheme is not a managed investment scheme, it may involve a security or other financial product discussed below.

When could a crypto-asset or an ICO be an offer of a security?

What is a security?

The most common type of security is a share. An option to acquire a share by way of issue is considered to be a ‘security’ under the Corporations Act. For example, if the product being offered gives the right to be issued shares in the future, it may be an option. A debenture is also considered to be a ‘security’ under the Corporations Act. Debentures are a way for businesses to raise money from investors. In return for money, the business issuing the debenture promises to pay the investor interest, and the money lent to the business by the investor, at a future date.

A share is a collection of rights relating to a company. There are a range of types of shares that may be issued. Most shares issued by companies that offer shares to the public are ‘ordinary shares’ and carry rights regarding the ownership of the company, voting rights in the decisions of the body, some entitlement to share in future profits through dividends, and a claim on the residual assets of the company if it is wound up.

Most shares issued in Australia come with the benefit to shareholders of limited liability as well.

Application to ICOs

When an ICO is created to fund a company (or to fund an undertaking that looks like a company) then the rights attached to the crypto-asset issued by the ICO may fall within the definition of a security – which includes a share or the option to acquire a share in the future.

The bundle of rights referred to above may be used to help determine if a token is in fact a security. If the rights attached to the crypto-asset (which are generally found in the ICO’s ‘white paper’ but may be found in other materials) are similar to rights commonly attached to a share – such as if there appears to be ownership of the body, voting rights in decisions of the body or some right to participate in profits of the body – then it is likely the crypto-asset is a share. If the crypto-asset gives the purchaser a right to acquire shares in the company at a time in the future (e.g. if it lists on the ASX) then this may be an option, which is also a security.

Australian laws apply

Where it appears that an issuer of an ICO is actually making an offer of a security, the issuer will generally need to prepare a prospectus. Such offers of securities that are shares are often described as initial public offerings (IPOs).

By law, a prospectus must contain all information that consumers reasonably require to make an informed investment decision. Generally, a prospectus should include audited financial information.

Importantly, though an ICO may look similar to an IPO, an ICO may not offer the same protections to consumers and may result in liability for the issuer and those involved in the ICO. Issuers of an ICO need to be aware that where an offer document for an ICO is, or should have been, a prospectus and that document does not contain all the information required by the Corporations Act, or includes misleading or deceptive statements, consumers may be able to withdraw their investment before the crypto-assets are issued or pursue the issuer and those involved in the ICO for the loss.

For more details about the information a prospectus should contain see Regulatory Guide 228 Prospectuses: Effective disclosure for retail investors (RG 228).

Offering, advising about, making a market for, providing custodial or depository services for, and dealing in, crypto-assets that are securities or other financial products may also attract specific AFS licensing requirements and other regulatory requirements.

This is not an exhaustive discussion of all the relevant Australian laws that apply in relation to an ICO offering a security. It is the responsibility of the entities involved to ensure they comply with all relevant Australian laws.

When could a crypto-asset or an ICO be an offer of a derivative?

What is a derivative?

Section 761D of the Corporations Act provides a broad definition of a derivative. For the purpose of this information sheet a ‘derivative’ is a product that derives its value from another ‘thing’ which is commonly referred to as the ‘underlying instrument’ or ‘reference asset’. The underlying instrument may be, for example, a share, a share price index, a pair of currencies, a commodity or a crypto-asset.

Application to crypto-assets

A crypto-asset or an ICO may involve a derivative if it is priced based on factors such as the price of another financial product, underlying market index or asset price moving in a certain direction before a time or event which resulted in a payment being required as part of the rights or obligations attached to the crypto-asset. For example, the crypto-asset could contain a self-executing contract involving payment arrangements that are triggered by changes in the relevant price of the underlying product, index or asset.

Australian laws apply

Where an issuer of a crypto-asset or ICO is making an offer of a derivative to a retail investor, the issuer will need to prepare a PDS and comply with other regulatory requirements.

Services such as offering, advising about, making a market for, and dealing in, crypto-assets that are derivatives will also require an AFS licence.

OTC transactions of derivatives, such as CFDs in crypto-assets and crypto-assets that are derivatives, by AFS licensees and other ‘reporting entities’ are subject to the transaction reporting requirements under the ASIC Derivative Transaction Rules (Reporting) 2013.

This is not an exhaustive discussion of all the relevant Australian laws that apply in relation to an ICO involving a derivative. It is the responsibility of the entities involved to ensure they comply with all relevant Australian laws.

When could a crypto-asset be or involve a non-cash payment facility?

What is a non-cash payment facility?

A non-cash payment (NCP) facility is an arrangement through which a person makes payments, or causes payments to be made, other than by the physical delivery of currency.

This type of facility can be a financial product which requires an AFS licence if payments can be made to more than one person. An intermediary that arranges for the issue of an NCP facility may need an AFS licence, or to act on behalf of an AFS licensee.

Application to crypto-assets

Just because a crypto-asset is the form of value that is used to complete a transaction does not necessarily mean that the crypto-asset is an NCP facility.

Whether or not a crypto-asset is, or involves, an NCP facility will depend on the rights and obligations associated with the asset. If the asset provides the holder with a right to use the asset to make a payment, it is likely to be an NCP facility.

In some instances, there may be NCP facilities that involve the use of a crypto-asset. For example, if a person offers an arrangement where payments can be made using a crypto-asset but fiat currency is sent to the recipients, that arrangement is likely to be an NCP facility.

Crypto-assets such as tokens offered under an ICO are unlikely to be NCP facilities – though they may be a form of value that is used to make a payment (instead of physical currency). An ICO may involve an NCP facility if it includes an arrangement that allows:

  • payments to be made in this form of value to a number of payees, or
  • payments to be started in this form and converted to fiat currency to enable completion of the payment.

Australian laws apply

If an ICO involves an NCP facility an AFS licence may be needed. For general information on NCP facilities, including the low-value exemption that can apply, see RG 185.

This is not an exhaustive discussion of all the relevant Australian laws that apply in relation to an ICO that may involve an NCP facility. It is the responsibility of the entities involved to ensure they comply with all relevant Australian laws.

Part D: When could a crypto-asset trading platform become a financial market?

This part provides guidance about platforms that enable trading of crypto-assets.

What is a financial market?

A financial market is a facility through which offers to acquire or dispose of financial products are regularly made. Anyone who operates a financial market in Australia must obtain a licence to do so or otherwise be exempted by the Minister.

Application to crypto-assets

Where a crypto-asset is a financial product (whether it is an interest in a managed investment scheme, security, derivative or NCP facility), then any platform that enables consumers to buy (or be issued) or sell these crypto-assets may involve the operation of a financial market.

To operate in Australia, the platform operator will need to hold an Australian market licence unless covered by an exemption. Platform operators must not allow financial products to be traded on their platform without having the appropriate licence as this may amount to a significant breach of the law.

If you operate an unlicensed overseas or decentralised platform, you must ensure that it does not operate as a financial market in Australia (unless an exemption applies). This may require you to take steps to prevent Australian clients from accessing financial products on your platform (unless you are covered by an exemption). These steps include (but are not limited to) removing references and links, placing additional warnings and disclosures on the relevant webpages and apps, and introducing geographically based IP restrictions (geo-blocking).

Depending on how transactions in crypto-assets that are financial products are cleared and/or settled, you may also be operating a clearing and settlement facility and require a clearing and settlement facility licence: see RG 211.

Part E: What should you consider when offering retail investors exposure to crypto-assets via a regulated investment vehicle?

This section provides guidance to issuers of investment products that provide retail investors with exposure to crypto-assets.

There are many different types of investment products available to retail investors in Australia. The types most accessed by investors include:

  • exchange traded products (ETPs), such as exchange traded funds (ETFs), managed funds (MFs) and structured products (SPs)
  • listed investment companies (LICs)
  • listed investment trusts (LITs), and
  • unlisted investment funds.

It is important that you are mindful of the specific legal obligations that apply when operating and offering different kinds of investment products. For example, ETFs, MFs, LITs and unlisted investment funds are managed investment schemes. Structured products are generally securities or derivatives. Listed investment companies are public companies. Each of these are regulated by ASIC under the Corporations Act.

In addition, except for unlisted investment funds, these products are traded on licensed Australian financial markets. Market operators play an important gatekeeper role in assessing the suitability of products that are admitted to their markets. If you intend to admit your product to a market, the respective market operator will have requirements you must meet.

The subsections below provide information on good practices for different types of investment products that provide exposure to crypto-assets. Issuers of ETPs that reference crypto-assets should also refer to the additional good practices specific to crypto-asset ETPs set out in Information Sheet 230 Exchange traded products: Admission guidelines (INFO 230).

Managed investment schemes

Responsible entities (REs) and managed investment schemes are regulated under Chapter 5C of the Corporations Act. REs play a crucial role in ensuring the health of, and confidence in, the financial system. They are entrusted with the funds of their investors and must comply with their legal obligations as REs, including to act in the best interests of members of the scheme.

There are certain key matters that REs must consider when investing the funds of their investors into crypto-assets, particularly in relation to custody, risk management and disclosure. These key matters are relevant, whether the crypto-assets are financial products or not.

Custody

The RE of a registered scheme must hold scheme property on trust for members: see section 601FC(2) of the Corporations Act. Further obligations in relation to custody are set out in Class Order [CO 13/1409] Holding assets: Standards for responsible entities. Regulatory guidance in relation to these obligations is set out in Regulatory Guide 133 Funds management and custodial services: Holding assets (RG 133).

Asset holders also need to comply with financial requirements set out in Class Order [CO 13/760] Financial requirements for responsible entities and operators of investor directed services. Regulatory guidance in relation to these obligations is set out in Regulatory Guide 166 Licensing: Financial requirements (RG 166). Generally, this will mean that the RE, or its custodian engaged to hold the scheme property, will be required to hold minimum net tangible assets of $10 million.

In meeting these minimum requirements when dealing with crypto-assets, we consider it good practice that:

  • the entity responsible for custody has specialist expertise and infrastructure relating to crypto-asset custody
  • the crypto-assets are segregated on the blockchain. This means that unique public and private keys are maintained on behalf of the RE so that the scheme assets are not intermingled with other crypto-asset holdings
  • the private keys used to access the scheme’s crypto-assets are generated and stored in a way that minimises the risk of loss and unauthorised access. For example:
    • solutions that protect private key material using hardware devices that are physically isolated and that have appropriately limited connectivity to other computing systems (cold storage) are preferred. Private key material should not be held on internet-connected systems or networked hardware (hot storage) beyond what is strictly necessary for the operation of the product
    • the hardware devices used to hold private key material should be subject to robust physical security practices, and
    • effective systems and processes for key backup and recovery should be maintained, with geographically distributed backup sites preferred
  • signing approaches that minimise ‘single point of failure risk’ are adopted
  • custodians have robust systems and practices for the receipt, validation, review, reporting and execution of instructions from the RE
  • REs and custodians have robust cyber and physical security practices for their operations, including appropriate internal governance and controls, risk management and business continuity practices
  • the cybersecurity practices and the controls environment of the custodian are independently verified to an appropriate standard – for example, through SOC 1/2, GS 007, ISO 27001/2, NIST CSF or other appropriate certification or attestation

Note: See System and organisation controls (SOC) reports 1 and 2 (SOC 1/2), Auditing and Assurance Standards Board, Guidance Statement GS 007 Audit implications of the use of service organisations for investment management services (GS 007), International Organization for Standardization, ISO/IEC 27001:2013 Information technology—Security techniques—Information security management systems—Requirements (ISO 27001) and ISO/IEC 27002:2013 Information technology—Security techniques—Code of practice for information security controls (ISO 27002), and National Institute of Standards and Technology, Cybersecurity Framework (NIST CSF).

  • REs have access to an appropriate compensation system in the event that crypto-assets held in custody are lost
  • if an external or sub-custodian is used, REs should have the appropriate competencies to assess the custodian’s compliance with RG 133.

The security of private keys is of critical importance. Private keys are necessary to sign transactions that assign crypto-assets to new addresses. If private keys are compromised, unauthorised parties can use them to transfer the scheme’s crypto-assets to addresses (and parties) that are outside the control of the RE.

Accordingly, REs and custodians should ensure that the private keys used by the scheme are protected from unauthorised access – both online and offline.

For the same reasons, REs and custodians should adopt a transaction signing approach that minimises single point of failure risk. For example, multi-signature or sharding-based signing approaches should be preferred to the use of a single private key to sign transactions. As technology develops, other suitable approaches may also emerge. It is a matter for the RE to determine the most effective approach, considering the benefits and drawbacks of different approaches.

In relation to the receipt, validation, review and execution of customer instructions, these processes should include appropriate permissioning so that no one party has control of the entire process. If the structure of the product is such that it only needs to interact with a pre-defined set of addresses – for example, particular dealers, markets or authorised participants – the custodian should consider a whitelist approach, so that transfers can only be made to those pre-defined addresses.

In relation to compensation systems, we consider it good practice that REs have access to an arrangement so that members of the scheme can be compensated if crypto-assets are lost. The precise nature of the arrangement, including what is covered, how much is covered, and its form – for example, insurance, an asset protection plan or compensation fund – are all matters for the RE to determine, taking into account the nature of its product and its duty to act in the best interest of the members of the scheme.

Note: In this context, REs should also consider the regulatory guidance on liability provisions in custody agreements set out in RG 133.

In relation to the independent verification of cybersecurity practices and controls environments, we have not mandated specific standards, certifications or attestations that must be achieved by custodians of crypto-assets. Rather, we consider it good practice that these are independently verified to an appropriate standard, as determined by industry practice, and it is a matter for the RE as to whether they are satisfied with the standards, certifications, or attestations that the custodian has achieved.

REs should, where appropriate, take the necessary steps to obtain a copy of and consider an independent audit of the effectiveness of the controls of a third-party service organisation responsible for custody of assets. Where crypto-assets are held it is expected this would include controls determined by industry practice for mandated standards, certifications or attestations that are expected for custodians of crypto-assets. This could be an audit based on GS 007 or a comparable audit from other jurisdictions.

Note: As set out in RG 133, a responsible entity or another person engaged by it to hold assets of a registered scheme does not need to hold an AFS licence authorising it to provide a custodial service for this purpose. This is because holding those assets is not a custodial service under section 766E(3)(b) of the Corporations Act. Holding assets is a part of the operation of the registered scheme by the RE.

Risk management

An RE, as an AFS licensee, is required to do all things necessary to ensure that the financial services covered by the licence are provided efficiently, honestly and fairly: see section 912A(1)(a) of the Corporations Act. Further, under section 912A(1)(h), an AFS licensee is required to have adequate risk management systems. Regulatory guidance in relation to these obligations is set out in Regulatory Guide 259 Risk management systems of responsible entities (RG 259).

In meeting these minimum requirements in relation to crypto-assets, we consider it good practice for REs to carefully consider the crypto-asset trading platforms used by them or their service providers to access crypto-assets. In particular:

  • the RE should be satisfied, based on reasonable due diligence, that any crypto-asset trading platform it relies on:
    • is a digital currency exchange provider registered with AUSTRAC, or is regulated by one or more laws of a foreign country giving effect to the Financial Action Task Force recommendations relating to customer due diligence and record-keeping, and
    • implements risk-based AML/CTF systems and controls that are supervised or monitored by a body empowered by law to supervise and enforce the customer due diligence and record-keeping obligations
  • the RE should ensure that authorised participants, market makers and other service providers that trade crypto-assets in connection with the product do so on crypto-asset trading platforms that meet the same standard as above.

The AML/CTF obligations, among other things, require entities to have customer identification procedures and aim to reduce the risk of crypto-assets being used to support criminal activity.

Research also suggests that market integrity issues are more prevalent on crypto-asset markets with lower levels of regulation, compliance and transparency.

The RE is responsible for ensuring its risk management systems appropriately manage all other risks posed by crypto-assets. Among other things, this could include implementing or applying relevant standards published by Australian and international organisations as they develop.

Disclosure

Part 7.9 of the Corporations Act sets out the obligations that apply to an RE as issuer of a PDS. Further guidance about disclosure is set out in Regulatory Guide 168 Disclosure: Product Disclosure Statements (and other disclosure obligations) (RG 168) and issuers should refer to the ‘Good Disclosure Principles’ outlined in Section C of RG 168.

Relevantly, section 1013D of the Corporations Act requires that a PDS must include information – about any significant risks associated with holding the product – that a retail client would reasonably require to make a decision whether to buy the financial product.

In the context of investment products that invest in, or provide exposure to, certain crypto-assets, we consider there must be sufficient information about the characteristics and risks of those crypto-assets in the PDS. There must also be sufficient information about how the product is intended to operate and how it is expected to generate a return for investors.

Types of matters that may be relevant in meeting these minimum requirements may include:

  • in relation to the characteristics of crypto-assets:
    • the technologies that underpin crypto-assets, such as blockchains, distributed ledger technology, cryptography and others
    • how crypto-assets are created, transferred and destroyed
    • how crypto-assets are valued and traded, and
    • how crypto-assets are held in custody
  • in relation to the risks of the crypto-assets:
    • market risk – historically, crypto-assets have demonstrated that their investment performance can be highly volatile and there is a risk they could have little to no value in the future
    • pricing risk – it may be difficult to value some crypto-assets accurately and reliably for reasons including the nature of their trading, susceptibility to manipulation, and a lack of identifiable fundamentals. Some crypto-assets may be purely speculative assets
    • immutability – most crypto-assets are built on immutable blockchains, meaning that an incorrect or unauthorised transfer cannot be reversed and can only be undone by the recipient agreeing to return the crypto-assets in a separate transaction
    • political, regulatory and legal risk – government and/or regulatory action may affect the value of crypto-assets held by the scheme
    • custody risk – the private keys may be lost or compromised, resulting in crypto-assets being inaccessible or accessed by unknown third parties without authorisation
    • cyber risk – the nature of crypto-assets may mean they are more susceptible to cyber risks than other asset classes, and
    • environmental impact – to the extent that some crypto-assets have a large environmental impact, this may raise other risks, such as increased regulation or negative market sentiment, which could affect the value of crypto-assets held by the scheme.

Note: For the avoidance of doubt, this list does not represent mandatory matters for disclosure and should only be regarded as illustrating the types of matters that may be relevant to REs when complying with their disclosure obligations. REs must determine what is appropriate disclosure in the context of the characteristics, operations and risks of their product.

Licensing of scheme operators and registration of schemes

Operators of schemes that hold crypto-assets will generally need to hold an AFS licence or be exempt from the requirement to hold a licence.

For general information about applying for an AFS licence, refer to the AFS Licensing Kit (Regulatory Guides 1 to 3), which provides an overview of the application process and information on supporting proof documents.

We expect that applicants proposing to operate registered schemes that hold crypto-assets (whether the scheme holds one or more crypto-assets) will initially apply for ‘named scheme’ authorisation. This authorises the licensee to operate only the specific crypto-asset registered scheme(s) named on the licence.

Consistent with Regulatory Guide 105 AFS licensing: Organisational competence (RG 105), we expect applicants to operate two named crypto-asset registered schemes for at least two years before we will consider granting them a broader ‘kind scheme’ authorisation for crypto-assets. The ‘kind scheme’ authorisation allows the licensee to operate multiple crypto-asset schemes without needing to vary the licence with each new scheme.

When applying for these authorisations, the applicant is required to select what kind(s) of assets the scheme will hold. For registered managed investment schemes that will hold crypto-assets, the applicant should select:

  • for crypto-assets that are not financial products, the ‘crypto-asset’ asset kind, or
  • for crypto-assets that are also financial products, the asset kind which corresponds to the crypto-asset class of financial product – for example, the ‘financial assets’ or ‘derivatives’ asset kinds.

To establish the ‘crypto-asset’ asset kind to administer our licensing functions we will define ‘crypto-asset’ as:

'a digital representation of value or rights (including rights to property), the ownership of which is evidenced cryptographically and that is held and transferred electronically by:

    • a type of distributed ledger technology; or
    • another distributed cryptographically verifiable data structure.'

Note 1: This definition is deliberately broad to capture the range of assets that could be held by a managed investment scheme. Without limitation, it is intended to encapsulate the full range of ‘coins,’ ‘stablecoins’ and ‘tokens’, as those terms are used by the crypto-asset industry.

Note 2: This definition helps us to administer the AFS licensing regime for managed investment schemes and should not be taken as a definition of crypto-assets for other purposes.

In assessing AFS licence applications for authorisation to operate registered managed investment schemes that hold crypto-assets, for both ‘named scheme’ and ‘kind scheme’ authorisations, whether the crypto-assets are financial products or not, some of the key matters that we will consider in detail are:

  • whether the nominated responsible managers can demonstrate both the ‘operate scheme’ and ‘assets under management’ elements of the organisational competence standards set out in RG 105
  • the extent to which the applicant can meet the good practices outlined above for the products they will operate – particularly in relation to custody and risk management, and
  • whether the applicant has appropriate human, financial and technological resources.

We also note that:

  • we will assess the application under relevant policy and, in relation to crypto-assets that are also financial products, take into account the considerations that apply to financial products of that type generally
  • applications that relate to crypto-assets are more likely to be novel applications and our experience to date indicates that assessment of those applications may take more time, and
  • we will work with businesses to identify the issues to be addressed in the application and will issue additional guidance if we think that doing so may be helpful to industry.

Note: Form FS01 and Form FS03 have not yet been updated to include the ‘crypto-asset’ asset kind. When completing these forms, in the interim, please highlight in the 'A5 Business Description' core proof that you are requesting authorisations for crypto-assets that are not financial products. Please also highlight in the email you send to us with the core proof documents that the application relates to a crypto-asset scheme. The AFS licence authorisations will be tailored as required by the Licensing team.

After the operator is licensed, the crypto-asset scheme(s) it will offer to investors may need to be registered as a managed investment scheme.

For more information about scheme registration, refer to the ASIC webpage on how to register a managed investment scheme.

Note: Form 5100 has not yet been updated to include the ‘crypto-asset scheme’ kind. When completing this form for non-financial product crypto-asset schemes, please select ‘Other Primary Production’ as the scheme kind in section 1, and specify ‘crypto-asset’ in the space provided. For crypto-assets that are financial products, select the scheme kind(s) that corresponds to the crypto-assets’ class of financial product—for example, ‘financial assets’ or ‘derivatives’.

Listed investment companies

Listed investment companies (LICs) are public companies incorporated under the Corporations Act and are subject to the law relating to such companies, including Chapter 2D (directors’ duties), Chapter 2M (financial reporting) and section 674 (continuous disclosure). As listed entities, they are also subject to the rules of the market they are listed on. The LIC will appoint an investment manager with an AFS licence but does not generally have its own AFS licence.

We expect LICs that provide investors with a material exposure to crypto-assets to follow the same good practices for custody, risk management and disclosure as registered managed investment schemes.

We expect market operators to develop rules for LICs that invest a material portion of investors’ funds in crypto-assets so that there is a level playing field between them and crypto-asset ETPs, particularly in relation to permissible underlying crypto-assets and pricing frameworks – refer to INFO 230 for further information.

Structured products

Structured products (SPs) are generally classified as securities or derivatives, and the precise legal obligations of an SP issuer will depend on the type of financial product it issues.

We expect SPs that offer investors exposure to crypto-assets to follow the same good practices for custody, risk management and disclosure as registered managed investment schemes. As SPs are a subset of ETPs, these products will also be subject to market operator rule frameworks as they apply to ETPs and our expectations for such products – refer to INFO 230 for further information.

Part F: How do overseas categorisations of crypto-assets translate to the Australian context?  

A number of international regulators have issued guidance on the application of their securities and financial services laws to ICOs and have defined the function of a range of crypto-assets (e.g. utility tokens and exchange tokens). These categorisations do not automatically translate to equivalent products in Australia.

The definition of a financial product in Australia is often broader than in other jurisdictions. As such, crypto-assets such as utility tokens that may fall outside the regulatory perimeter in another jurisdiction may often be covered under our broader definition. It is important to always consider the particular rights and features of an individual ICO or crypto-asset in relation to Australian law to determine whether it is regulated as a financial product: see Part C.

Part G: Where can I get more information?

Entities that have specific requests or questions about a crypto-asset, an ICO or RegTech solutions in relation to distributed ledger technology may contact our Innovation Hub or their existing ASIC contact. The Innovation Hub can help by providing tailored guidance to innovative businesses on how to access information and services relevant to them through the ASIC website.

For all inquiries, we strongly encourage entities to carefully consider their proposal and seek professional advice (including legal advice).

We do not provide any assessment or approval of an entity’s compliance with the law, including in relation to the business model adopted.

Important note

The information in this publication should not be considered legal advice. You will need to obtain your own legal advice in relation to the applicable laws.

Related information

Important notice

Please note that this information sheet is a summary giving you basic information about a particular topic. It does not cover the whole of the relevant law regarding that topic, and it is not a substitute for professional advice. We encourage you to seek your own professional advice to find out how the applicable laws apply to you, as it is your responsibility to determine your obligations.

You should also note that because this information sheet avoids legal language wherever possible, it might include some generalisations about the application of the law. Some provisions of the law referred to have exceptions or important qualifications. In most cases, your particular circumstances must be taken into account when determining how the law applies to you.

Information sheets provide concise guidance on a specific process or compliance issue or an overview of detailed guidance.

This information sheet was reissued in October 2021.

What's new

Last updated: 07/03/2024 03:35