Governance, transparency and accountability in ICOs - thoughts for the present and future

Initial Coin Offerings (ICOs) have taken the business world by storm in 2017. As of 16 October 2017, over USD3.4 billion has been raised via ICOs this year.

There has been substantial scrutiny around whether a token is a security (and falls under securities laws) in the USA and other jurisdictions – and legal consequences arising from that. Until recently, there has not been nearly as much attention focused on the money raised in an ICO and how the ICO project is managed following the fundraising - including questions such as where does the money go? How can the funds be used? What are token purchasers getting for their purchases? 

Having read various ICO white papers, websites and marketing documents, and spoken with different industry contacts frequently, there appears to be no clear answer to these questions. This is likely not a satisfactory answer in the wider business world, yet until recently it appears to be more acceptable in the ICO world.

The ongoing Tezos saga is the most prominent case to date for ICO governance issues – as described by the sampling of related headlines below:

• "Tezos, a cryptocurrency that raised $232 million in July, is in crisis"
• "Exclusive: Tezos founders push for legal bailout from Swiss foundation"
• "Tezos debacle – Users may indirectly pay for own lawsuits"
• "Third time's the charm? Tezos hit with third class action suit in a month".

How can the risks of another Tezos, other failed projects or outright scams be mitigated?

Regulations and governance measures have generally struggle to keep up with technological advancements. In addition, no measure will ever entirely stamp out bad actors, or the risk of projects failing due to any number of factors, in any industry.

Nevertheless, there are many low-hanging fruits that can be picked right now in this area. This article discusses issues to look out for in reviewing ICOs, and how improved due diligence, governance and accountability measures could be applied to mitigate risks, leading to better quality ICOs and a more sustainable fundraising environment for all. 

This article follows my European colleagues' publication of "ICOs: A Call for governance". and our recent work with various ICOs. Together, we hope that our articles prompt further thoughts and discussions about best practices in this area. 

Before we begin, this article does not explore the following topics – all of which deserve their own article:

• The "Are ICOs securities?" debate (including the merits of SAFTs), other relevant legal issues (e.g. consumer protection, tax treatment and price manipulation), or recent measures and statements from regulators around the world. Some of these issues are certainly related to our discussion below - e.g. whether certain prospectus/disclosure requirements should apply to ICOs. For my brief overview of recent ICO-related regulatory developments in Asia, please see here. 
• Explore use cases for blockchain, or issues regarding smart contracts not being so smart (e.g. DAO, Parity). For our easy-to-digest explanation of blockchains, please see here; and for our recent seminar on blockchain and smart contracts, please see here.
• Explore the future of cryptocurrencies, including government-issued cryptocurrencies. As a sidenote – the Bank of Canada has just released an interesting paper on this topic. 

What is an ICO?

My European colleagues did a great job of explaining this topic in their above-mentioned article. Or, as explained here:

An ICO is a fundraising mechanism, in which new projects sell their underlying crypto tokens in exchange for bitcoin and ether. Most ICOs work by having investors send funds (usually bitcoin or ether) to a smart contract that stores the funds and distributes an equivalent value in the new token at a later point in time.

ICO is a recent phenomenon, as a new way of bringing capital into (usually) early stage tech companies. To date, there have been limited legal restrictions on how an ICO is run, who can participate in an ICO, where the ICO can be held from, and disclosure requirements. ICOs also frequently raise money before a product is developed, and in those circumstances (at the point of fundraising) it is unclear how the project will turn out. 

To sum up – ICOs are frequently speculative, and their quality varies widely from project to project.

What is an ICO's lifecycle?

Broadly speaking different projects vary widely in how much time is spent on each stage. The stages are: 

• Preparatory work - on the project.
  
• Announcing the project and token sale - this includes publicising the project (and its objectives) and setting out the token sales terms. This may be done before or in conjunction with the white paper.
  
• White paper - this sets out the project and why the ICO is being conducted. There may be discussions of the white paper in various forums, and amendments may be made to the white paper/project based on those discussions.
  
• Token sale date -  on this date, supporters can buy the tokens with cryptocurrency (usually bitcoin or ether) or, in limited cases, with fiat tender (e.g. US dollars). Frequently, there are separate sale periods, e.g. presale periods for advisers/large-scale purchasers, public sales periods (sometimes with different "bonus" token amounts attached). 
  
• Token sales - will usually last for a defined period. 

What is corporate governance and what requirements are there for ICOs?

Corporate governance refers to the structures and processes in place to direct and control companies, including relationships between stakeholders, oversight and supervision of the company, the rights of investors, risk mitigation and ethical behaviour. It is intended to increase the company's accountability and transparency, to mitigate the risks of disasters to the company and to clearly define a company's decision making process. Frequently, corporate governance also seeks some balance between founders, investors and the wider applicable community.

Legally, while the aforementioned legal issues are being sorted out – there are no governance requirements specific to ICOs in Hong Kong, Singapore or many other jurisdictions. 

So… what happens to all the money raised in an ICO?

Well - it depends.

A good quality ICO will clearly set out what will be done with the money raised, accurately and with specific details.

Unfortunately, many projects either do not address this topic at all or do so in a vague, non-specific manner; give false information; or have a clear misalignment with respect to incentives for developers and token holders. 

This is a question that founders, token holders, regulators and the wider public are increasingly looking into.

How about some cases of ICOs going off track?

While many ICOs have raised a lot of money for good projects, various other ICOs have gone off track this year, and they make for interesting reading. Here are a few examples: 

• We mention Tezos above. The project has stalled at present, with no tokens issued and no end date in relation to project development, following the raising of USD232 million in July 2017 in cryptocurrencies (now worth substantially more, given recent bitcoin prices). There have been three class action lawsuits initiated by token purchasers against the founders, with a separate legal dispute between the founders and the foundation that holds the raised funds in relation to use of those funds.
• Coinist has ranked the 6 worst ICOs of all time, under the headline "Poor returns, failed technology and outright scams make ICO investors leery". Here is their pick for the worst ICO in 2017:

One of the worst ICOs of 2017 was OneCoin, a textbook scam from start to finish. OneCoin was a multi-level marketing Ponzi scheme (think Cutco knives). It’s difficult to give more detail, because there’s no information a token was ever created. The team had little concrete to show investors, and certainly no working prototype. Some of the team’s biggest members had previously been linked to other scams. Dr. Ruja Ignatov, founder and COO, may have falsified her qualifications on the company’s website. Speaking of the website, it was a parody of a scam site. Spelling was poor, and technical problems were common. Numerous governments warned against investing. On April 24th, Indian authorities raided a OneCoin meeting. 18 were jailed, but not before OneCoin scammed investors out of 350 million. Tellingly, they accepted funding in standard currency, not Bitcoin or Ethereum like most ICOs. The story was a black eye on the crypto world.  

• CNBC's headline gives a good picture of what happened with the Confido ICO in November 2017 - "Cryptocurrency start-up Confido disappears with $375,000 from an ICO, and nobody can find the founders".

Wow, that's not good. What should we look out for, whether as an ICO issuer or purchaser?

At present, the regulatory environment is uncertain internationally, with a lack of consistency and with regulators still assessing how to regulate with ICOs if needed.

In the meantime, we believe addressing the issues below will help to mitigate commercial and legal risks for both token issuers and purchasers. We are not advocating a one-size-fits-all approach – as some of the below points will be more applicable to certain projects than others, and many of these considerations are naturally linked to one another.

Commercial considerations and transparency

• Why an ICO? Amidst the ICO hype at present, it is worth questioning why certain projects need tokens or blockchain technology at all – this may then lead to wider discussion regarding the points below. 
• How will tokens be allocated between the founders, advisers, early purchasers and the general public, including if there are different sales phases? Are there any restrictions or conditions on tokens that are being held for anyone other than the general public, e.g. lockout periods? How will any excess unsold tokens be dealt with – will they be "burnt" or will they be kept? What is the pricing difference between the different phases of sale and between each class of stakeholders? Who has purchased tokens before the public sale period, and at what price were those presale tokens purchased?
  
  These issues affect areas such as: 

 

 

 

 

• Is there a hard cap for the amount raised, and if not, why not? How will tokens be split between the presale and the public sale? Do purchasers pay for tokens using virtual or fiat currency? Uncapped ICOs (where the ICO does not cap the amount it can raise during the ICO) maximises the amount received by the ICO issuer upfront. However, it also increases the risk of losses for early purchasers in the token, because deflationary pressures (i.e. too many coins) is more likely to occur. How much money does the project realistically need, and is the amount raised massively outside of that? Multi-round fund raising is common outside of ICOs, yet that approach has not taken hold in the ICO space. Raising money all up-front potentially can affect incentivisation and motivation.
• How will the raised money be used? Are there milestones that have to be reached before money is released or used? Will the money raised be held in a multi-signature wallet/escrow, and if so, who are those signatories? Has the project committed to regular post-ICO disclosures regarding spending and progress? Otherwise, what is to stop the money raised being spent on champagne, caviar and excessive salaries (self-dealing), as opposed to completion of the project? Be on the lookout within the white paper and ICO website for this issue – transparency is key. See our point below on milestones.  
• What product has been developed, if any? Is it an actual product or a test product? What is the development roadmap for the product? Is the code for the product available, and if so, is there any need to do due diligence on it? There have been ICO projects that do not describe, substantially or accurately, what the end product will be, why the product is useful, or whether the product will have a business market (see below for further details). A key part of any purchasing decision is understanding what is being purchased – and this relates to separate questions regarding the bona fides of the team involved. This leads to…
• What is the business strategy for the project? Is the project making any claims that are false, outlandish, outrageous or very likely to be unfulfilled? Look out for representations that are too good to be trueor where the project's materials contain substantial marketing spin. Regulators are beginning to crack down on ICOs involving fraudulent behaviour. For example, the SEC recently obtained an emergency asset freeze to halt the PlexCorps ICO (which had raised USD15 million since August) for fraudulent representations regarding profit; and previously brought action against two ICOs that had no real operations.
• Who in the team is responsible for the different aspects in the project? Have they been involved in previous similar or related projects? What is their background, and does it match up with what they are trying to do here? Are there any falsehoods involved in their profiles? This includes: 

 

 

 

 

Legal considerations and challenges

The issues below reference more specifically legal and corporate governance measures that are common (and required) in the corporate world. These issues can frequently be addressed in the white paper and the ICO terms. Lawyers in particular can add significant value here. 

• Which entity is issuing the tokens, which entity is the "OpCo" (if different entity), and in what country are those entities incorporated? Is the entity a corporation, a foundation, or something else – and how does that affect the rights of other stakeholders and token holders? What is the relationship between that entity and other stakeholders in the ICO project, e.g. the founders? A basic question, and a key issue in relation to good governance – different countries will have different applicable laws in this area. For example, in the Tezos case- a separate foundation (in Switzerland) from the OpCo (in Delaware) was set up to receive the funds from token purchases, and there are now multiple problems between the founders and the foundation that has partly led to the stalling of the project. These problems include: (a) whether the founders can terminate the foundation's president, and (b) whether the foundation is required to indemnify the founders' ongoing legal costs. There will also be other considerations over time affected by this question. For example, tax-related considerations will becoming increasingly apparent and will be affected by this question – e.g. the California Federal Court has just ordered Coinbase (a major cryptocurrency exchange) to submit identifying records for all users who bought, sold, sent or received more than USD20,000 through their accounts in a single year between 2013 to 2015. 
• What are token holder's rights contractually? As above, we would argue that ICO issuers should address some of the considerations set out in this article, in the terms applicable to their ICOs. A basic point is checking whether there are any terms at all governing this issue. 
• What is the ownership and voting rights structure for token holders? Are there separate classes of each, including for ownerships of large blocks of tokens? Are there any anti-dilution mechanisms for existing token holders? This is related to the commercial considerations above. 
• What are the milestones for release of funds? We touch on this topic above, but it is worth re-discussing here. One of my primary practice areas is in technology contracts – where it is common to have payment/release of money after satisfaction of certain milestones, which can be assessed either objectively or on a voting/committee approval basis. This is technologically possible in ICOs – whether via linkage to milestones or via voting of token holders, with smart contract coding to then reflecting that mechanism. While the mechanics of these measures will need to be worked through (e.g. is it possible to have accurate milestones at the pre-product stage?), I predict we will see an increase of these mechanisms (and a decrease of money being made entirely available to the project as soon as the ICO sale period concludes).
• Are there any terms of the ICO offering that are transparently unfair, one-sided and unlikely to be upheld by the courts from a consumer protection perspective? For example, in the Tezos case –the T&Cs for the ICO classified any purchase of tokens as being a "non-refundable donation" (see paragraph 12 of the T&Cs). Query whether a court would uphold purchases of tokens as a "donation", with no underlying rights. This ties into wider questions regarding whether ICOs are securities (and a topic that courts will look at for Tezos). Besides legal considerations, such provisions are likely to raise public policy and consumer protection considerations. 
• Has the ICO considered AML/KYC considerations in its fundraising? While it is an open question in some jurisdictions whether AML/KYC compliance is legally required for ICOs – increasingly the market view is that AML/KYC compliance is a sign of a good quality project, particularly for long-term credibility and with increasing regulatory attention paid to cryptocurrencies and whitewashing of criminally-procured funds. It will also create credibility with banks, other large partners and the public down the line. As examples of regulatory attention –the UK and Australia governments have both announced measures to ensure AML/KYC guidelines are complied with in the cryptocurrency trading space, and Singapore has announced plans to do so in the near future (via their recent A Guide to Digital Token Offerings).
• Who will be overseeing the business – e.g. will there be a board of directors (or similar)? Will that board have specific powers in relation to the business? An accountable board structure is a key part of good corporate governance. I expect we will see more of this as the market matures and investors increase demand for good governance relating to ICO projects. 
• How often will there be updates on the project, including discussions between founders and token rights holders? Are there any ongoing reporting or audit mechanisms for token holders? For example, will there be annual board meetings or other public forums of accountability, besides online forums and Telegram groups?
• How will disputes be resolved, whether between token holders or between founders and others? What is the proposed dispute resolution forum and governing law? This is a key issue that has come up in relation to Tezos, i.e. it is unclear how any dispute between the founders (who hold the intellectual property) and the foundation (to which the money went) would be resolved. 
• Where is the intellectual property of the project held? If there is a separate ICO entity and "OpCo" entity – what is the contractual relationship between them in relation to the IP? In the Tezos case, the agreement between the foundation and the founders governed the release of the Tezos software code (including to public domain prior to fundraising), but without concrete timing. 

That's a lot of considerations. Where is the ICO industry generally on this topic?

Apart from increasing regulatory attention, industry players are also paying more attention to this area (including in relation to presales). Worthy industry efforts include: 

• Pending regulatory approval, the Gibraltar Blockchain Exchange is expected to be launched in January 2018, creating the first regulated ICO token exchange. Gibraltar has also created guidelines on how to operate a blockchain service, and will be the first jurisdiction internationally to endorse a nationally regulated ICO exchange. 
• ICO Governance Foundation, which has produced a white paper that address some of the above issues in more detail.
• Cardozo Law School's Blockchain Project – which recently published a critique of the SAFT.
• Continuing self-regulatory or industry collaboration efforts – such as the Digital Asset and Blockchain Foundation of India in India.
• Various blockchain-related companies and advisors are increasingly focused on regulatory, governance and quality-aspects of ICOs. For example, Intrepid Ventures have a strong focus on this issue – they published a detailed series of articles on how to launch a quality ICO (a very helpful read for anyone considering launching an ICO), and recently conducted a webinar on AML/KYC issues in ICOs.

If nothing else, the increasing difficulty faced by ICOs in meeting their fundraising targets – from 92% in June 2017 sliding down to 34% in September 2017 – show that the industry is increasingly distinguishing between good ICOs and bad ICOs.

What should we look out for right now? 

In the meantime, for ICO stakeholders, it is worth keeping the following in mind:

• Regulators are likely to pay more attention going forward, particularly given increasing public scrutiny – their key objective is ensuring public interest is not harmed. After all, one of regulators' key objectives is to ensure public interest is not harmed. 
• There will be increasing attention on whether ICOs will need to comply with securities laws. In addition, as mentioned above any regulator or prosecutor can still come after bad ICOs for fraud or other crimes, and investors can still take civil action against you under various causes of action. As an example, the SEC recently obtained an emergency asset freeze to halt the PlexCorps ICO (which had raised USD15 million since August) for fraud. Depending on your jurisdiction, any "sophisticated investors only" or "you may lose all of your money" warnings in your ICO terms may be invalid. 
• There are likely to be reputational consequences to a non-sustainable project, where funding is taken but not properly used.
• Regulatory compliance and following best practices will be beneficial going forward. For example, any M&A or other exit strategy, or potential partnership opportunities, down the line will likely require early and continued compliance with all regulatory and legal obligations. Wider lessons in the anti-bribery/corruption/AML space may well be useful to ICO issuers here. A sustainable and credible project will require regulatory and legal compliance.

Addressing the above issues – in your public disclosures, structuring and the terms for your ICO – can mitigate those risks. Here are some concrete steps we recommend, flowing on from the above discussion: 

• Have a clear white paper that describes your product, your business strategy and your implementation roadmap.
• Clearly set out, in your white paper and ICO terms, how any money raised will be used and handled, and including addressing the issues set out above. Tie this into the information above, and include how the money will be released in accordance with the road map. 
• Consider whether the ICO issuing entity and OpCo will be separate entities, and what corporate structure (e.g. foundation or corporation?) will be used in what jurisdiction. Ideally, there will be a corporate board structure (or similar) that will ensure appropriate oversight of the project. Are you establishing the entities in the right jurisdiction, with the right structure, and for the right legal and commercial (short-term and long-term) reasons? 
• Consider appropriate milestones in your project, and releasing raised funds in alignment with those milestones. 
• Whenever there are material developments, make sure that they are disclosed accurately and promptly, and consider self-reporting and appropriate audit mechanisms. 
• Comply with all legal and regulatory requirements. Continue to consult your lawyers and advisers in relation to developments and compliance – as it is. Likely that the pace of change and scrutiny in regulations will increase in the future. 
• For the wider industry – it is important to put pressure on ICO issuers to address the above issues, and ensure bad players and fraudulent practices  
  are publicly identified (ideally before they create any harm). Self-regulation can mitigate some of the above risks. 

Some of these points likely conflict with the promise of decentralisation and anonymity in blockchain solutions, and will require discretional judgement on a case-by-case basis – there is no one size fits all solution. Nevertheless, there is good reason why similar measures have arisen in the wider corporate world over time – to ensure a sustainable ecosystem with resources directed at better quality projects, to ensure that bad actors are (to the extent possible) eliminated, and to ensure that your legal and professional risks are mitigated by a better balance between the interests of all stakeholders.

That all makes sense. Who should we discuss this with?

There are an increasing number of competent advisers out there who can guide you through the processes and considerations outlined above – including us! 

Our international Digital Economy group advise various ICOs around the world, and advises on governance issues in both ICOs and the wider business world (and how they can learn from each other). We would be very happy to discuss any questions you may have. 

This article is part of continuing and wider industry discussions, as the ICO space continues to evolve. All feedback (whether aligned with or contrary to this article) is welcomed.

With thanks to my Ashurst Digital Economy colleagues – Tara Waters, Dr Ian Maywald and James Leung – for their input regarding this topic.