Security Tokens Can Turn Regulation Into Code, But Are Still Vulnerable To Attacks

While security tokens are pegged to be the next big thing, are they truly secure from a cybersecurity perspective? Let’s discuss.

The crypto space today is still under regulated and too risky for mainstream adoption. This is slowly changing as the SEC (the US Securities and Exchanges Commission) makes up its mind about the legal status of coins and tokens. Integrating regulation into smart contracts to gain SEC approval can help the space gain momentum, but it does not fully solve cybersecurity questions regarding investor fraud.

There are two main issues with regulation in the crypto space, one facing investors, and one facing projects and regulators.

Token sale investors generally have very few assurances and are rarely offered legal security for being repaid, even if the project is a fraud.

At the same time, because crypto markets are global, and digital assets are difficult to trace, Know-Your-Customer (KYC) requirements and other regulation must do their best to prevent rogue actors from buying and using tokens for criminal intent.

Making token investments reliable

Tokens represent no safe return for investors, because they are, in many cases, designed as tools for buying products or services that a company launching a token sale is still developing. They are high risk but provide potentially high reward bets on disruptive technologies. However, many fail, and when projects fail before creating a usable token, the line between a failure and a fraud is thin, and thus becomes a legal issue.

The promise of security tokens is that regulations that prevent fraud can be encoded into smart contracts that underlie the token itself. This hardwired regulation should create more investor trust in the financing process of blockchain projects. The first step for this can already be seen in the form of KYC encoded in the ERC20 token standard, the most common one used today.

New projects can encode regulation that satisfies SEC requirements for a security into the smart contracts that govern how and by whom a token may be transferred. The SEC uses the ‘Howey Test’ to consider whether an asset is a security, and therefore lies under its strict regulation:

1) Is it being sold as an investment promising financial returns?

2) Is there a central person or group of people upon whom investors rely on for the development of the value of the investment?

Token projects usually try to work around being classified as a security to avoid a stricter regulatory regime. Many claim not to meet the first condition because the tokens serve as vehicles for the purchase of a service. Nevertheless, many investors buy tokens in the hope of price appreciation, not simply to use the token for products, and this satisfies the condition.

Meanwhile, cryptocurrencies like Bitcoin or Ethereum can claim to be sufficiently decentralized in their developer communities to not meet the second condition, but again, most projects creating tokens have central developer teams and often companies behind them, which makes them a security.

Encoding regulation

There are several ways to encode regulation and ensure that crypto assets follow legal frameworks for investment.

The simplest method is writing certain rules into the security token of a company or network itself, like KYC rules that make sure that only whitelisted and approved addresses can send and receive tokens. This can be extended to combat fraudulent projects, or the fraudulent or improper use of tokens.

Regulators can further create ‘shell' tokens that enforce specific types of country or industry-specific regulations onto transactions of general tradable tokens. Additionally, legal advisors or auditors could also create smart contract-based regulatory add-ons that automatically check for certain conditions needed for the satisfaction of legal frameworks or certificates, for example, environmental protection provisions.

Furthermore, security tokens will only be able to be bought and sold on exchanges which hold a license for security trading. The exchange protocols can encode the legal requirements for security trading into the smart contracts underlying transactions on their platforms. This is a crucial place to attempt to curb fraud from the investor side, because exchanges are often the entry-point into the crypto financial system.

All three forms of programmable regulation promise a clear upgrade on current best practice: they prevent rather than punish unlawful actions. Today, legal protection ensures that the law will punish wrongdoing after it has happened. However, if funds are locked in smart contracts that have regulations encoded, they cannot be transferred or used for fraudulent purposes in the first place.

Not enough cybersecurity

Nevertheless, a future without financial fraud is still an illusion.

Firstly, launching a scam project, conducting a token sale, and then not delivering on the promises of the sale while transferring funds into fiat currency and using them for whatever undisclosed purposes is still possible. Only traditional legal protection will ensure investor protection, and turning token sales into license-requiring security sales is a step in the right direction.

The more dangerous predicament lies with the uncontrollable trade of access information to crypto wallet addresses. Although KYC and anti-money laundering (AML) regulations are starting to be commonplace in crypto, they are not enough to avoid access to funds by unknown actors, for whatever purpose they may wish to use them.

For example, a whitelisted and approved investor who has gone through KYC procedures could sell private keys or other ways to access funds, without knowledge of the system, and the funds may then be used by rogue actors.

Although the mediator, the approved investor, would be known and could be held responsible, this could be a simple person with very little knowledge about a broader criminal network behind that could buy up many different access points from simple people in exchange for untraceable fiat payments, and thereby gain access to crypto funds for money laundering or even to manipulate markets.

The development of security tokens therefore leaves the space with hope, but further unresolved questions.

Tokenization brings many benefits to markets: tokens enable more varied asset classes to gain liquidity and we now see a rise of encoded regulation that bring their use into a secure investment space. However, dangers of undermining the markets still remain, and crypto developers will have to keep coming up with more innovative models for preventing fraud to root out financial misbehavior. Security tokens are a small and incomplete move, but still a step in the right direction.

The author, Adrian Stein is a decentralization enthusiast and head of Content & Growth at Zerion, a fintech leader that powers the tokenization of the economy by developing the technology to connect great companies with great investors. Founded in 2015, Zerion has created a platform to facilitate successful token sales, providing companies with a secure infrastructure to issue tokens. It is now the first fintech leader to pair up its tokenization platform with a seamless investment and tracking interface for crypto investors.