Latin America is a region where the cryptocurrency and cryptoasset business is booming
The practice of the law demands an active follow-up of developments regarding regulations. However, this does not stop here, and lawyers must also be familiar with the new issues that appear in a certain field. Cryptocurrencies and cryptoassets constitute one of these changes to both the reality and the practice of the law like every other technological development of the last years.
As such, it is no surprise that almost all lawyers, from banking and capital markets practitioners to family attorneys, should study and understand what cryptocurrencies, and more broadly cryptoassets, are and how they interact with the law. Cryptocurrencies are a new form of money that have been impacting the law since their inception in late 2008 and early 2009. Even though they have almost 10 years of age, most of the legal community is still wondering what cryptocurrencies are and how do they impact the law. This brief article intends to tackle the basic issues regarding them in the Iberoamerican region from a regulatory perspective.
Before any analysis of legal issues, it is important to establish a common ground for this article. In this regard, we shall start by establishing a definition regarding cryptocurrencies and cryptoassets. A cryptocurrency can be defined as a digital asset generated by a blockchain and that is used as either a unit of account, a medium of exchange or as a store of value; cryptocurrencies, following the Financial Action Task Force definition (Financial Action Task Force, 2014, pp. 4–5), are decentralized, convertible into fiat money, virtual currencies that use cryptography to safeguard the operation of their underlying network. On the other hand, a cryptoasset can be defined as a digital unit generated by a blockchain or distributed ledger that represents either (i) an asset -digital or physical- or (ii) a right to request a good or a service. In some cases, cryptoassets can be considered as securities, in particular due to the wave of initial coin offerings.
As stated above, cryptocurrencies and cryptoassets are having an impact on the legal profession in almost all areas of practice. While it’s common to associate this technological revolution with the financial world, their usage goes beyond it. In this regard, it is possible to mention that cryptocurrencies and cryptoassets have introduced changes to how we practice law in areas such as estate planning -where understanding the technical aspects of cryptocurrencies might be crucial to secure and appropriately distribute the estate- up to banking regulations or AML/KYC procedures -where knowing how to trace the origin of a coin might the difference between admitting or rejecting a client-, among other topics.
Besides the direct impact of cryptocurrencies on the different fields of the law, smart contracts -which operate using blockchains or distributed ledges- constitute an innovative area where a cornerstone of the law -contracts- is being revamped and integrated directly into the technology to allow a better performance of the agreements to reduce the costs associated with the execution and performance of an agreement, as originally proposed more than 20 years ago by Nick Szabo (Szabo, 1997). In this sense, smart contracts are challenging the existence of the judiciary by intending to eliminate the need to require the intervention of a judge in the event of a dispute by automating the resolution of any conflict. However, as the experience has demonstrated us, it is impossible to foresee all outcomes of a particular situation. As such, lawyers are still having to integrate the agreement with their interpretation and filing before a judge a petition to attend any situation.
The kind of questions that attorneys in this space must deal with can differ whether the client is an individual or a company. In the early years of cryptocurrencies, individuals asked about taxation and how to properly file taxes. In this regard, most tax agencies have attended this matter in more or less successful manner; in jurisdictions where tax agencies gave no official advice, this has been supplemented by consensus among the legal practitioners. At a corporate level, most question have revolved around the closing of banks accounts for companies that were involved somehow in the crypto ecosystem. Besides that, consultations from companies where regarding common issues to any legal entity that intends to start a business, with a focus on whether banking or money transmission licenses where required to operate.
In the current years, on the corporate level, most questions where regarding obtaining investments from third parties. During 2016 up to 2018, the main issue was initial coin offerings, and now securities token offerings. At an individual level, questions have begun shifting towards estate planning and the creation of tax efficient structures to cope with the high-pressure tax schemes that governments have introduced for crypto related activities.
Our understanding is that the cryptocurrency space will continue to evolve in the years to come and so will the consultations that clients make. In this sense, as the cryptocurrency ecosystems starts to gain a more massive audience, so will the legal issues regarding them in all shapes and forms. In this regard, we believe that the sectors or areas of the law that will see an increase in their consultations regarding the crypto space are the following: securities and capital markets, consumer protection, crimes and corporate advice in the field of M&A.
Cryptocurrencies and Cryptoassets Regulation in the Iberoamerican Region
In this first chapter of the global cryptocurrency legal review we shall begin by addressing the countries in the Iberoamerican Region. The countries included in our analysis are the following: Argentina, Bolivia, Brazil, Chile, Colombia, Costa Rica, Cuba, Dominican Republic, Ecuador, El Salvador, Guatemala, Haiti, Honduras, México, Nicaragua, Panamá, Paraguay, Perú, Portugal, Spain, Uruguay and Venezuela.
Given that is review just intends to show trends and a high-level analysis, we recommend that, prior to taking any action based on this article, you consult with a professional of that particular country to check whether the information is up to date or not as well as if your particular situation demands a special legal analysis.
1. Validity of acts executed by electronic means
Before jumping into the analysis of the more “traditional” issues regarding cryptocurrencies and cryptoassets, its worthwhile to review whether or not can acts be executed using electronic means. If acts done using electronic means cannot be legally binding, then all actions done using blockchain or distributed ledger technology would be deemed as invalid. In this regard, we have to separate between the countries that are part of the European Union and those that are not.
Regarding the countries that are part of the European Union, our starting point is the Regulation (EU) No. 910/2014 of the European Parliament and of the Council of 23 July 2014 on electronic identification and trust services for electronic transactions in the internal market and repealing Directive 1999/93/EC (the “eIDAS Regulation”). This piece of legislation states clearly that acts executed using electronic means, disregarding the type involved, shall be deemed to have legal effects and local regulations cannot indicate that they are not legally binding.
Regarding the countries that are not part of the European Union, we must look into each individual regulation to further determine whether acts can be done using electronic means. In this sense, most of the Latin American countries that are part of the Iberoamerican region follow the United Nations Commission on International Trade Law model law regarding electronic signatures. As such, their legislation tends to recognize the validity of the acts done using technological means and the wording of such regulation is quite similar. The only exception worth noting would be Argentina that, given the latest piece of regulation on the matter -National Executive Decree 182/2019-, appears to have adopted a licensed-based approach to blockchain and distributed ledger technology; in this sense, entities would have to obtain a license in order to provide services using this type of technologies.
2. Validity of digital signatures
As with the previous section, we must differentiate between EU countries and non-EU countries. In the case of EU-countries, the eIDAS Regulation has established a three-tier system composed of: (i) electronic signatures; (ii) advance electronic signatures; and (iii) qualified electronic signatures. On the other hand, non-EU countries vary from jurisdiction to jurisdiction the type of system they have implemented; nevertheless, it is possible to state that Latin American countries have adopted a two-tier system of: (i) electronic signatures; and (ii) digital signatures. Qualified electronic signatures can be assimilated to digital signatures while electronic and advance electronic signatures in the EU are equivalent to electronic signatures in Latin America.
The kind of signature involved in a particular transaction shall depend on the type of blockchain or distributed ledger involved. For example, when using a blockchain such as Bitcoin or Ethereum, it is most likely that the signatures involved could be considered as electronic signatures or advance electronic signatures, depending on the situation. On the other hand, private distributed ledgers can effectively deploy qualified electronic signatures given their lack of decentralization and the degree of control over the network participants that allows the existence of trusted third parties.
3. Harmonization with personal data protection regulations
Regarding personal data, the current international standard has been set by the EU through its Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation) (the “GDPR”). In the case of EU-countries, this piece of legislation applies and the EU has developed several papers on the matter, mainly through the EU Blockchain Forum and Observatory (EU Blockchain Observatory and Forum, 2018, 2019).
Besides this, the French data protection authority has released its guidelines regarding how to reconciliate data protection with blockchain or distributed ledger technologies. In this sense, the French data protection authority suggest the following: (i) more centralized implementations allow for an easier identification of the data controller; (ii) software developers and miners could be considered as data processors; (iii) it is necessary to conduct a personal data impact assessment before deploying any data processing activity that uses blockchain or distributed ledgers; (iv) determine what information is going to be uploaded to the public record; and (v) determine how personal data rights will be complied with (Commission Nationale de l’Informatique et des Libertés, 2018). While this is the criteria of just a single data protection authority, as the GDPR requires data protection authorities to cooperate in order to ensure a uniform application of the regulation, it is not unlikely that other data protection authorities will follow the French data protection authority conclusions.
On the other hand, Latin American have a mix situation regarding personal data. Some countries completely lack a data protection regulation while others have new regulations that mimic the GDPR, such as Brazil, or are in the processing of updating their regulations, like Argentina. As a consequence, it could be argued that the same conclusions applicable in Europe are valid in Latin America, in particular in those countries that have been deemed as adequate by the EU Commission, like Argentina and Uruguay, that have to maintain a privacy practice similar to that of the EU in order to retain their adequate jurisdiction status. Therefore, the situation in Latin American should follow and be aligned with the developments that take place in the EU.
4. Validity of the blockchain to prove integrity, authorship and certain date of the acts recorded in it
Finally, as blockchains or distributed ledgers are generally considered to provide proof of integrity, authorship and certainty regarding date it is important to determine how those characteristics can be legally achieved. As usual, our analysis would have to differentiate between EU and non-EU countries.
As to EU countries, the eIDAS Regulations sets forth the trust service provider category, which can deliver different services to their users. Among these services, as detailed in article 3.16 we can find the following: “(a) the creation, verification, and validation of electronic signatures, electronic seals or electronic time stamps, electronic registered delivery services and certificates related to those services, (…) the preservation of electronic signatures, seals or certificates related to those services”. Therefore, and as noted by the EU Blockchain Forum and Observatory (EU Blockchain Observatory and Forum, 2019), the eIDAS Regulation is somewhat applicable to blockchains and distributed ledgers as long as the integrity, authorship or certain date arising from it is provided by a third party as a trust service provider.
While Latin American countries lack a complete regulation like the eIDAS Regulation, most of them have in place regulations that allow the parties to rely on a technological medium to demonstrate the integrity, authorship or certain date of an action executed using blockchains or distributed ledgers. It is worth mentioning that Argentina and Uruguay have regulations regarding trust service providers that are in line with the eIDAS Regulation; hence, the above-mentioned conclusions are applicable also to those countries.
1. Legal qualification
Regarding the legal status of cryptocurrencies, only a few jurisdictions have taken a formal stance regarding the current situation of cryptocurrencies. In most cases, the legal status of cryptocurrencies must be interpreted from existing general regulations. In either case, it is possible to conclude that the Iberoamerican region countries consider cryptocurrencies as intangible assets and not as currencies. These issues have a direct impact in taxation when cryptocurrencies are used as mean of payment. On the other hand, cryptoassets tend to be subject to the same regulation as their non-crypto counterparts; for example, security tokens are treated as securities.
2. Relationship between electronic money and stable coins
As of the date hereof, no country of the Iberoamerican region has taken a stance regarding the legal status of stable coins. In that sense, it is important to analyse the characteristics of the stable coin to determine its legal classification. For example, if there is a centralized entity or group of entities that control the emission and redemption of the stable coins and their issuance depend on the exchange of an asset that can be considered as a fund then it is most likely that the stable coin would be deemed as electronic money. In any other situation, we would not have e-money and the stable coins could be deemed as a right under the agreement executed or adhered to, as it corresponds, between the stablecoin holder and its issuer.
It is important to indicate that not all of the Iberoamerican region countries have electronic money regulations. EU countries rely on their local implementations of the Directive 2009/110/EC of the European Parliament and of the Council of 16 September 2009 on the taking up, pursuit and prudential supervision of the business of electronic money institutions amending Directives 2005/60/EC and 2006/48/EC and repealing Directive 2000/46/EC (the “EU E-Money Directive”). As to non-EU countries, only a handful of them has e-money regulations that, more or less, follow the prescriptions stated in the EU E-Money Directive.
3. Tax implications of cryptocurrency tenure
As to cryptocurrencies tenure, the general situation in the Iberoamerican region is the lack of guidance from tax agencies as to how any act that involves cryptocurrencies must be presented in tax filings. Nevertheless, there are some exceptions to this rule which include countries such as Argentina, Brazil, Chile and Spain.
While specific tax rates and events vary from jurisdiction to jurisdiction, we can conclude that, as cryptocurrencies are not deemed as money, capital gains, or losses, must be paid every time an individual or entity disposes of cryptocurrencies applying the “first in – first out” rule to calculate the amount over which taxes must be paid. Moreover, as cryptocurrencies are part of the state of individuals and entity, if there is a tax over the estate, then cryptocurrencies are included in the calculation of that tax; it is worth noting that certain jurisdictions, such as Argentina, might have an applicable exemption for intangible assets where cryptocurrencies could benefit from them.
4. Cryptocurrencies as a means of payment
As stated above, few jurisdictions have issued regulations or official interpretations of existing regulations where cryptocurrencies are deemed as an official mean of payment. In most cases, including those where governments have merely issued press releases about cryptocurrencies, it is possible to conclude that cryptocurrencies in the Iberoamerican region are not considered as an official mean of payment but instead as a private mean of payment.
In this regard, payment in cryptocurrencies is only possible when the parties to a certain contract have agreed its acceptance to fulfil the obligations assumed under the agreement. When the parties have not agreed on this, the debtor cannot force the other party to accept cryptocurrencies; in this regard, cryptocurrencies lack legal tender in all of the analysed jurisdictions.
1. Legal qualification
In the case of cryptoassets, the situation becomes more complicated. Following the accepted classification of cryptoassets as payment -already covered in the previous section-, utility or security, each individual case of cryptoasset must be analysed on case to case basis to determine the kind of asset. As of the date hereof, none of the analysed countries have taken a formal approach to a general cryptoassets regulation that encompasses all the existing types of cryptoassets. Therefore, rules will vary, and special attention must be placed in order the determine the regulations applicable to a particular asset. In this regard, we can state that, generally, utility class cryptoassets will grant the holder a right to do or prevent someone from doing something while security class cryptoassets will be assimilated to a security under existing regulations.
2. Relationship with the traditional capital market
In most situations, security class cryptoassets are compatible with existing capital markets regulations as the regulations operate under a technology neutrality principle. In any case, issuers of security class cryptoassets must demonstrate in their filings before the corresponding regulator that their intended issuance of securities comply with the existing framework. Whether this is worthy or not is something that each issuer must contemplate when intending to issue securities using blockchains or distributed ledgers. In some countries, the existing capital market infrastructure has already taken steps to integrate this new technology into existing legal and operational framework.
3. Situation of ICOs/STOs
ICOs and STOs have been the main concern of regulators regarding cryptoassets, in particular during and after the 2017 ICO bubble. Almost all of the Iberoamerican countries have issued some type of communication or press release warning the general population of investors of the risks associated with ICOs. Regulators have focused on two issues: (i) the lack of regulatory oversight over the issuance of the security class cryptoassets; and (ii) the lack of proper information about the asset provided to the investor. Moreover, regulators provided special communication channels to request information about a particular ICO/STO as well as for filing any claim against an actual or potential scam.
Besides this, and in EU countries, some issuers have proceeded with the issuance of security class crypto assets under private sales, or that don’t exceed certain amount raised or done to accredited investors in order to rely on exceptions to the existing securities regulations. For example, in the case of Spain there have been several ICOs/STOs in the last year. While legal advisors for the deals have stated that the Spanish regulator had provided its clearance for the issuance of the crypto assets, that entity has publicly stated that no authorization was required and that issuers relied in exemptions that implied no interaction with the regulator. As such, it is still uncertain how the regulator will interpret its legal framework when an issuer files for a formal authorization, like Blockstack in the United States, for example.
1. Custody duties
As stated in other sections of this article, the custody duties shall depend on the kind of asset that it is involved and if that kind of asset triggers the application of any regulatory framework. Moreover, it is important to differentiate between countries with specific legislation on the matter and countries where general regulations shall apply.
In this regard, the only country that provides for specific regulations on the matter is Mexico, which has forbidden fintech companies subject to the Mexican Fintech Law to engage in custody operations with its end-user clients; as such, custody services can only be provided by individuals or by fintech companies for non-end-user clients, like financial institutions. This regulation has essentially crippled the retail and private custody services business in Mexico and is currently encountering heavy resistance from the industry, which is intending to question its legality in courts.
Besides the situation in Mexico and other countries that have forbidden operations in crypto assets, such as Bolivia or Ecuador, if an entity provides custody services to an individual or other entity then general regulations from civil or commercial codes shall apply to that agreement, ranging from a deposit agreement to a mandate or trustee agreement as the facts dictate. In this regard, how the terms of the agreement are drafted is of the uttermost importance to correctly delimitate the obligations assumed by the holder of the assets.
2. Computer security duties
Following this trend of lack of certain and defined regulations, the level and type of information security measures that blockchain related companies must adopt depend, mainly, on two factors: (i) if they are govern by certain sector regulations, then those provisions must be complied with; and (ii) the obligations assumed by the company in its particular agreement with the client.
As for the first factor, until a regulatory body indicates that certain crypto-related activities are under its authority, most companies in the Iberoamerican region are not subject to a particular set of information security obligations. The clear exception in this regard are Mexican companies which, as stated above, must comply with the Mexican Fintech Law as well as with the requirements set forth by the Mexican Central Bank. Since, Latin American countries look up to the Mexican Fintech Law, it is worthwhile to briefly review these obligations to understand the most likely regulatory floor for this issue. In that sense, Mexican fintech companies that deal with cryptoassets must implement a risk-based cybersecurity plan and adopt measures to mitigate or eliminate those risks. This plan and the measures must be submitted for review by an independent third party.
3. Information duties
Regarding information duties, the same logic as with the previous sub-section applies. If there are specific regulations that apply to a particular set of cryptoassets, then the information obligations of that legal framework shall apply. Otherwise, general information duties must be met when the party being provided with a service is a consumer.
As mentioned, the only country with this type of specific regulation is Mexico. The Mexican Fintech Law and the set of regulations for cryptoassets enacted by the Mexican Central Bank prescribed the information that entities that deal with virtual assets must convey to their clients. As for other countries, in most situations the general regulations on consumer protection shall apply. In this regard, information about the characteristics of the virtual asset must be presented to the user in plain terms and before any action is done in connection with them as well as regarding the operation in question. Besides this, information about the service provided to the user must also be conveyed in plain terms in order to properly communicate how risk is allocated between the user and the company or what fees are applicable to the service.
Since most self-sovereign identity solutions (“SSI”) are using blockchains and distributed ledgers as technology back-bone, the considerations set forth in section 2.3. are applicable and we recommend the review of that section for further information. SSI involve a particular set of data processing activities that have to be analysed in detail to determine the roles of each entity involved, how data flows between entities, the manner in which the data subjects can exercise their rights, among other issues. This issues has been tackled by the European Blockchain Forum and Observatory in a recent report where this issues have been highlighted (EU Blockchain Observatory and Forum, 2019).
In any case, since data protection regulations do not regulate general technologies but instead a certain and defined data processing operation, an analysis of each particular situation must be done. As a general conclusion, we can indicate that data subjects will be considered as data controllers for the purpose of creating and maintaining a digital identity while entities that deliver or verify claims regarding the identity shall be deemed as data processor as well as entities that provide storage solutions for the claims and its associated documents. On the other hand, each entities that intends to use the identity of the data subject could be considered as a data controller for the purposes that it seeks to fulfil by using the digital identity operated by the data subject, since it fits the definition of data controller; in this regard, this operation would not differ much from current data processing activities where the only distinction would be as to the source of the information and, from a technical perspective, how the source communications and relates to the database maintained by the data controller.
As a last point in this analysis of the Iberoamerican region, none of the countries included have taken a regulatory action regarding decentralized autonomous organizations (“DAOs”) and their legal status in the existing corporate law regulations. While DAOs have been promising new associative models since their inception, only a few jurisdictions worldwide have taken efforts to properly include them in their legal frameworks, among which there is none of the countries under analysis herein.
In this regard, we can identity two major issues regarding the inclusion of DAOs as corporate entities: (i) the lack of a formal agreement between the partners of the entity; and (ii) the numerus clausus principle existing in corporate law.
As for the first issue, civil law countries, which all of the Iberoamerican region are, tend to require the execution of an agreement, in some cases as a public deed, where the partners agree on the founding principles and rules for the operation of the corporation. In the case of DAOs, there is no binding agreement between the partners for two reasons: (i) the lack of an agreement since there is only code, mainly in the form of a smart contract, and no legal contract; and (ii) the partners cannot be properly identified as well as their ownership of the entity is usually transacted on a peer-to-peer basis without regard to the existing rules on how shares or partnership has to be transacted.
On the other hand, corporate law tends to indicate the kind of entities that can be formed. Consequently, DAOs are not legal entities that are currently allowed to be formed. Therefore, if a DAO is formed, it is most likely that they would be considered as simple partnerships and their partners will be held liable jointly with the entity.
The Iberoamerican region constitute one of the strongest and most developed zones of the crypto ecosystem, raising the bar at a continuous pace. The lack of regulation as well as the implementation of non-tailored regulation has not stopped innovators of creating new tools to provide the people of this region with the services they lack from the existing institutional structures. Moreover, practising attorneys in this region have demonstrated a sound knowledge of the underlying technology and how it operates. Organizations like Alianza Blockchain Iberoamerica are actively working to educate on regulatory and public policy matters in the region and it is considered as a regional reference organization in the protection of the individuals and their legal right to use cryptocurrencies and cryptoassets.