Initial Coin Offerings (ICOs) come in different sizes and forms. They also offer different risk exposures to different business models across different jurisdictions and their legal systems. Interest in ICOs, cryptocurrencies and digital assets, notably from retail clients and non-professional market participants, are increasingly causing EU and national as well as supervisory authorities including ESMA to issue warnings on their risks and those financial products that reference cryptocurrency and other digital assets.

What is an ICO?

In an ICO, an offeror (typically a real or purported FinTech startup company) offers to sell a blockchain based “coin” or “token” against payment of another cryptocurrency, such as bitcoin or ether to finance itself or to finance a particular project. The tokens are also blockchain based and, thus freely transferable via the blockchain. Whether the tokens represent some kind of claim against the “issuer” and if so, what, is described typically described in a short “white paper”. The tokens may contain a smart contract, i.e. a self-executing set of instructions that will automatically transfer to its holder the promised benefit. The benefit can be a return on investment from the profits of the project or venture or company that is financed from the proceeds of the token sale. Sometimes, the tokens may represent the right to use the product that is being financed with the proceeds. And sometimes, the token represents nothing except the token itself, i.e. it is simply a new virtual currency that may be used as a means of payment (if someone accepts the token as payment) or a means of speculation (if a market develops for the tokens).

According to estimates, approximately 80% of all ICOs are fraudulent offerings. Most of the remaining ICOs are difficult to evaluate in light of the extremely thin documentation surrounding the offering and the lack for investors to verify the accuracy of the information provided. Moreover, coin investors have no guarantee whether the project that they helped finance will be successful and whether the tokens they acquire are free from technical defects that makes them prone to malfunctioning or cyber-theft.

The fragmented regulation of ICOs (or the absence thereof)

Aside from valuation concerns along with how certain market participants may be channeling the market comes the fear that that the ability to buy and sell cryptocurrency and other digital assets relies on a handful of points of “exchange” and/or intermediaries. The majority of these operate beyond the EU’s supervisory perimeter. Where activity falls within the supervisory perimeter, then, in the continued absence of EU (or global) action, it remains fragmented. ICOs, cryptocurrency, digital assets and how market participants activities or investors engagement are supervised are not subject to uniform standards across EU Member States or the global level.  There is also no common definition of what a coin or a token is and how it should be categorized or regulated.

In the absence of uniform regulatory standards, fragmentation can cause new channels of systemic as well as idiosyncratic risk propagation to emerge. The flurry of participants ranging from professional to retail clients and consumers has caused a number of supervisory authorities in those jurisdictions, including at the EU1 and global level, to issue formal warnings. This is a first step with more to possibly follow. Consensus amongst users and offerors to whom those formal warnings are addressed is that increased regulation and supervision may actually be a good thing. Having safer and more uniform standards in FinTech is seen by a number of stakeholders, including cryptocurrency and FinTech users and offerors as a key tool to separate fraudulent and unsound offerings from more serious and honest projects, while others simply laugh at such attempts to regulate a phenomenon that has been designed to evade regulation as much as possible.

So what has ESMA done?

ESMA has issued two short ICO Warning Statements released on 13 November 2017, the context they operate in along with key takeaways for investors and participants. One Statement is addressed to investors, while the other is addressed to firms involved in ICOs. Both ICO Warning Statements are compact in length. Although they are written for two different stakeholder groups in mind, they build upon one another and should thus both merit consideration. Both refer to ICO specific risks. These stem from the nature the way an ICO is structured and/or where the capital raising component may not comply with applicable EU legislative and regulatory standards. As interest in cryptocurrency and participation in ICOs grow, so too, at least in the eyes of the supervisors, should the understanding and disclosures of ICO specific risks.

Investors are given five warnings, namely (i) the risk of fraud in an unregulated space, (ii) the risk of total loss of the investment; (iii) the risk of illiquidity and volatility; (iv) the lack of adequate information and (v) the risk of technological flaws.

Firms are reminded of the potential application of a number of pieces of EU legislation namely the Prospectus Directive, MiFID, the AIFMD and the 4th Money Laundering Directive.

ESMA’s Warnings to the firms are drafted to clearly remind recipients that even where an ICOs structure falls outside of the ‘existing’2  regulatory perimeter, if the cryptocurrency qualifies as a regulated financial instrument, then regulated investment activities are likely to apply. One key trigger for regulation is whether or not the tokens or coins are financial instruments. In the EU, despite largely harmonised standards, the categorisation and treatment of cryptocurrency varies and across EU jurisdictions tokens, coins or other cryptocurrency are not always treated as financial instruments. It is conceivable that ESMA, as with other components of the ESFS, will need to consider how this might have to change sooner rather than later.

So how does this fit into the wider picture and what next?

Since the issue of the warnings, the UK’s regulatory authorities, including the UK’s Financial Conduct Authority, which is considered to be quite at the forefront of nurturing the regulation and supervision of FinTech has joined supervisors in the US and various EU Member States in calling for greater supervisory scrutiny. The German Regulator BaFin, who had already published its own warning, has published a German translation of the ESMA Warnings to reinforce its own position. Moreover, a number of traditional market makers have, especially following the run-up to the start of options and futures referencing cryptocurrency assets as underlying values have begun to trade on select U.S. domiciled markets, voiced their concerns.

In summary, there is likely to be much more to come, certainly as the EU regulatory and supervisory policymakers take note of developments and announce a comprehensive framework on regulating and supervising FinTech activity. Whether this will develop independent of a hiccup or a more serious event to prompt action remains to be seen.

So what does that mean for firms and for investors?

Firstly for firms, it means taking stock of what one is doing where and with whom and whether that might or could be conceivable as triggering a regulatory perimeter for itself or that of its counterparties.  Whilst firms are assessing their supervisory stocktake, investors have been warned that their investments in cryptocurrency, digital assets and participation in ICOs (assuming it does not trigger regulatory/supervisory implications for them) relies heavily on a range of factors beyond their control, most of which have not been disclosed and thus remain opaque, subject to a host of operational risks, financial crime along with a range of liquidity risks.

To further complicate things, market conditions for a lot of the cryptocurrency inventory are narrow. Assets as well as relevant ‘exchanges’ are susceptible to a multitude to crypto and non-crypto specific risks and stresses.  Due to these exchanges providing the connectivity between digital assets and the ‘real-economy’ and equally due to increasingly credit leverage being employed, any number of transaction chains could easily cause a cascade of calls from the digital environment back to ‘main street’. This is especially the case as a number of less sophisticated investors may be borrowing, including against real estate and other tangible assets or key income streams that are financed by lenders and other market participants which may have limited appetite to finance a foray into these digital and ultimately intangible assets. It is therefore conceivable that supervisory action and application of uniform standards might look to bolster the resilience of cryptocurrency points of exchange as well as harmonised cyber-resilience standards to reduce market participants’ and infrastructure providers’ susceptibility to financial crime and digital crime.

A more detail assessment can be found in our client alert “European Securities and Markets Authority (ESMA) issues warnings on Initial Coin Offerings (ICOs): What does this mean for investors and firms involved in ICOs?”, which concluded with the following statement, which still rings true irrespective of how this market and its participants develop both in terms of commercial activity and how that is supervised:

“…whilst the ICO Warning Statements may seem stringent for some stakeholders, the ESFS and the EU are advancing to make the EU’s Single Market more digital.  Embracing cryptocurrency is one of many means to do that.”

1 See our recent coverage on the BCBS Consultative Document on FinTech .
2 And the reference to existing is deliberate in the drafting of the ICO General Warning Statement.


Manuel Lorenz is a partner in the Frankfurt office of Baker McKenzie and heads the German financial services regulatory department. His practice includes advising banks, investment firms, payment firms, fund managers and Fintech companies on licensing and product-related regulatory matters. In addition, Manuel also advises in the area of capital markets and public companies.