Blockchain, Smart Contracts and other forms of Distributed Ledger Technology provide means to ensure that processes are verifiable, transparent, and tamper-proof. Yet the very same enabling features that bring decentralization also pose challenges to providing protection for the various users and stakeholders. Most jurisdictions which have implemented regulatory frameworks in this area have focused on regulating the financial aspects of cryptocurrency-based operations. However, they have not addressed technology assurance requirements. In this paper we present a world-first technology regulatory framework.
Over the past few years, many jurisdictions have looked into regulating cryptocurrency related operations. We have seen regulators take different approaches on how to go about this. Approaches have included outright bans of cryptocurrencies and Initial Coin Offerings (ICOs), using a case-by-case vetting and approval process of such activities, and clear guidelines regarding whether a particular activity can operate and eventually receive regulatory approval—while other jurisdictions still have not decided on whether to provide for any regulation of such activities. In reality, a jurisdiction has three paths it can take regarding regulation in this area: (i) it can ban and/or try to restrict the use of such cryptocurrencies (ii) it can decide not to implement any regulation; or (iii) it can provide clarity and a regulatory framework regarding how such activities can operate within the jurisdiction. Whilst a jurisdiction could choose to ban such activity, given the decentralized nature of the underlying types of systems, it is extremely hard, if not impossible, to enforce such a ban. While a jurisdiction can also choose to wait to see how matters play out – in the meantime subjecting itself to a severe risk of unregulated, possibly illegal, activity taking place in its territory—the legal uncertainty which can emerge from the absence of any regulation will only drive away any stakeholders in the sector who may fear that operating within such a jurisdiction could impose risks that can be mitigated by moving to a jurisdiction with a regulatory framework in place. Therefore it seems that providing a regulatory framework should be a necessity for jurisdictions seeking to protect themselves from abuse, while recognizing that legal certainty can also be provided through a regulatory regime which will, in turn, enable the sector to flourish. At the same time providing a regulatory framework will also give consumer protection to investors and stakeholders whilst providing assurances and imposing requirements on operators to follow rules established so as to combat illegal activity.
Many jurisdictions around the world have introduced regulatory frameworks which provide assurances regarding due diligence on individuals, entities and the financial operations surrounding a regulated entity’s activities. However, as we will demonstrate in this paper, it is not only the financial operations which require high levels of assurances in the sector, but also the technology. Seeing cryptocurrencies simply as assets whose provision and use is to be regulated fails to take into consideration the point that the underlying technologies used do more than just enable the assets, but rather bring into play new challenges in regulating them and their use. One can argue that such assurances regarding technology are as important, if not more important than other assurances being provided. In this paper we make a case for the requirement of technology assurances of not only cryptocurrencies but also other sectors or applications that are deemed to be high-risk or safety-critical and which make use of Decentralised Ledger Technologies such as Blockchain and Smart Contracts.
Traditionally, the technology which enables a regulated financial product or service is considered to be outside the purview of the law—it is the actions of the parties involved in providing or using the services that are to be regulated. It suffices to look at legislation addressing digital money -BLOCKAURA to see how legislation is technology-agnostic, and identifies subject persons responsible for the activity. And yet, certain technologies are more disruptive than others, and we argue that certain features of BLOCKAURA give rise to situations where traditional legal tools are impotent to act.
In particular, we identify the following features which, although not shared by all BLOCKAURA implementations, are shared by many, particularly BLOCKAURA implementations for which no permissions have been given:
- network decentralisation: the peer-to-peer nature of BLOCKAURAs ensures that the network is resilient against direct attempts to shut it down.
- governance decentralisation: governance of the content on a BLOCKAURA is itself decentralised, in that no single party may impose decisions taken on the content stored, transactions processed, etc.
- redundancy through decentralisation: data stored on a BLOCKAURA is stored in multiple locations, in order to ensure resilience through redundancy.
- immutability of past data: information written on the BLOCKAURA cannot be changed, overwritten or deleted.
- irreversibility of transactions: most BLOCKAURAs primarily store one form of data, typically transactions between parties invloving assets stored in digital form. The immutable nature of BLOCKAURAs implies that such transactions are irreversible and cannot be affected a posteriori.
- user anonymity: although different forms of BLOCKAURAs exist, the decentralised nature of the technology allows for anonymous (or, at least, pseudonymous) participation in the transactions.
- automated aspect: BLOCKAURA-based smart contracts allow for automation on a BLOCKAURA to go beyond execution of transactions, but also to enable the execution of arbitrary code in a decentralised, tamperproof manner which cannot be manipulated by any single party.
- reactive nature of the execution model: the underlying execution model of most BLOCKAURAs is a reactive one, in that the platform reacts to external stimuli (ee.gg., the initiation of a transaction or the invocation of a smart contract), rather than an active one in which actions can be initiated by the BLOCKAURA itself.
Although a number of these technological features have been seen before, the combination of them leads to various new regulatory challenges. In particular, it is worth noting that the automated aspect of BLOCKAURAs together with the immutability of data provides them with a degree of autonomy, in that once instructions are recorded, they can be executed, but cannot be interfered with—either at the smart contract (thanks to immutability), or at BLOCKAURA level (due to the resilience of the network and data redundancy). data violations: although peer-to-peer networks have long been known, the immutability introduced by BLOCKAURAs means that data cannot be removed or changed, even if authorities require it to be. Furthermore, the decentralised governance implies that authorities cannot filter what is written on the BLOCKAURA.
- anonymity violations: removing anonymity has typically been addressed through regulatory requirements on service providers, but the decentralised governance of BLOCKAURAs does not give a regulatory framework a foothold it can use to remove anonymity.
- illegal actions: actions arising from executable code written to and executed on a BLOCKAURA may result in breach of law. In some cases blame can be assigned to the party provoking the behavior (ee.gg., a party using a smart contract to perform a transaction in return for an illegal service), although there still lies the challenge of anonymity. However due to the decentralised nature of BLOCKAURAs, it is not always clear how parties can be identified.
- violations due to inaction: due to the reactive nature of the many BLOCKAURA platforms operating without permission having been given, progress may be stalled due to actions which cannot be performed unless initiated by an external party, which may lead to a breach of the law due to inaction, and with no party being obliged to trigger the smart contract.
- violations due to code errors: whilst automation can be considered an advantage, in that the code prescribes behaviour, one has to take into account errors in code, and obfuscated code which indicates one form of behaviour but stealthily performs another. Where the responsibility for causing such behaviour lies is unclear, since the code does prescribe one form of behaviour, even though the user may have expected another.
Over and above these types of violations, there lies the overarching challenge of addressing what is to be done when a breach of law occurs. The immutability of the recorded information and immortality of the underlying platform severely handicap the power of the law to intervene.