This publication may be reused for noncommercial purposes if the source is cited as IFC, a member of the World Bank Group. 1 www.ifc.org/thoughtleadership NOTE 63 JAN 2019 Blockchain and Associated Legal Issues for Emerging Markets By John Salmon and Gordon Myers Blockchain, or distributed ledger technology DLT, is a tamper-evident and tamper-resistant digital ledger implemented in a distributed fashion. 1This emerging technology, which enables direct transactions within a ledger without need for a central authority or trusted intermediary, has the potential to re-engineer economic models and enable the creation of markets and products previously unavailable or unprofitable across emerging markets. However, in considering the potential benefits of blockchain, organizations must also consider the associated risks and how they can be managed. These risks include jurisdictional challenges, crypto assets, privacy and data protection, double spending, and distributed denial-of-service DDoS attacks. Several risks have been identified and overcome at similar innovative leaps in the recent past, including the commercialization of the Internet and cloud computing. It is essential that enterprises understand all risks inherent in blockchain systems, including being able to clearly identify who is accountable and legally responsible. Blockchain’s key characteristics present challenges to the existing legal and regulatory framework. It is comprised of digitally recorded data in “blocks” that are linked together in chronological order in a manner that makes the data difficult to alter once recorded, without the alteration of all subsequent blocks and collusion of a majority of the network. Each node on the network generally contains a complete copy of the entire ledger, from the first block createdthe genesis blockto the most recent one. Each block contains a hash a fixed length alphanumeric string generated from a string of text pointer as a link to a previous block, a timestamp, and transaction data. By its nature, distributed ledger technology allows for transactions and data to be recorded and shared across a distributed network of participants without the need for a trusted intermediary. The original instance of blockchain bitcoin was to enable peer-to-peer transactions without the requirement for, or cost of, a central party. Organizations wishing to develop a decentralized application on a blockchain therefore face a new set of risks and issues to manage. Most of these stem from the fact that we live in a world where centralized governance and control is the norm. Accordingly, the vast majority of countries’ laws and regulations envision centralized businesses or structures with a singular seat of control and responsibility. Deviating from this arrangement poses a challenge from a legal and regulatory perspective and raises enforcement issues. This is particularly the case when it comes to regulated sectors such as financial services. In this sector there has traditionally been some of central counterparty, which often is regulated. Within a particular system or process, that central party is accountable and takes responsibility for the provision of the services to all of the other participants through a contractual framework underpinned by the legal and regulatory structure. An example of this would be the role of a central bank or other institution in clearing and settlement processes. About the Authors John Salmon, Partner, Hogan Lovells International LLP, London, UK, and Gordon Myers, Chief Counsel, Legal Department, Technology and Private Equity, IFC, and Co-Chair, Legal and Policy Community, ITS Innovation Lab, World Bank Group. Their emails are and gmyersifc.org respectively. Public Disclosure Authorized Public Disclosure Authorized Public Disclosure Authorized Public Disclosure AuthorizedThis publication may be reused for noncommercial purposes if the source is cited as IFC, a member of the World Bank Group. 2 However, in many blockchain use cases there is no such centralized party that takes responsibility for the provision of services or controls associated data sets. Instead, each party in the blockchain network holds a copy of the data, rather than relying on a single central party to hold and maintain a master copy. For example, blockchain technology is being used to simplify cross-border payments, removing the need for transfers to pass through multiple parties with associated charges before reaching their destination. 2While such decentralization can bring benefits, it also poses a legal and regulatory challenge if there is no central party that is responsible and can be held accountable. The key issues that present risks to firms using blockchain, which are explained further below, are blockchain systems spanning multiple jurisdictions; crypto assets; data protection; privacy compliance; and cyber attacks. Jurisdictional problems As the nodes of a decentralized ledger can span multiple locations around the world, it is often difficult to establish which jurisdictions’ laws and regulations apply to a given application. There is a risk that transactions pered by an organization could fall under every jurisdiction in which a node in the blockchain network is situated, resulting in an overwhelming number of laws and regulations that might apply to transactions in a blockchain based system. In a public blockchain system it will be important to consider what law might apply to transactions and consider appropriate risk management that should apply. However, with a permissioned or private system it is easier to create some of legal framework and internal governance structure that will dictate the governing law that will apply to transactions. In private systems it would also be beneficial to consider some of agreed dispute resolution process. Crypto assets The difficulties of applying the existing regulatory regime can be seen clearly when it comes to the use of crypto assets. We currently see a huge range of opinions from regulators on crypto assets, from outright scepticism and bans in some countries, 3to more cautious investor warnings from others, 4while yet other countries have introduced regimes to attract more crypto activity. 5 These divergences of opinion and the resulting pitfalls are well documented in the example of Initial Coin Offerings, or ICOs. The popularity of selling tokens via ICOs as a means of start-up fundraising has exploded in the last few years. Figures show approximately 21.7 billion has been raised through some 935 ICOs over the period from January to November 2018 alone, dwarfing the amounts raised for blockchain projects via traditional venture capital during the same period. 6However, given the divergence of regulator opinion on the specific legal implications of a token sale, organizations that fail to consider at the outset whether their token sale may be compliant in the jurisdictions in which they plan to offer tokens may face an uncertain future. Organizations may also have to ensure that the sale of tokens is limited to buyers in their desired jurisdictions in order to remove the risk of the offer extending to jurisdictions that are more heavily regulated or have outright bans on ICOs. In the United States, the Securities and Exchange Commission SEC has expressed concerns that many ICOs are either scams or attempts to raise money without complying with investor protection laws. Read Write Commit Example BLOCKCHAIN TYPES Open Public permissionless Open to anyone Anyone Anyone* Bitcoin, Ethereum Public permissioned Open to anyone Authorized participants All or a subset of authorized participants Sovrin Closed Consortium Restricted to an authorized set of participants Authorized participants All or a subset of authorized participants Multiple banks operating a shared ledger Private permissioned “enterprise” Fully private or restricted to a limited set of authorized nodes Network operator only Network operator only Internal bank ledger shared between parent company and subsidiaries*Requires significant investment either in mining hardware proof-of-work model or cryptocurrency itself proof-of-stake model FIGURE 1 Main types of blockchains segmented by permission model Source Hileman, Garrick and Michel Rauchs. 2017. “Global Blockchain Benchmarking Study.” Cambridge Centre for Alternative Finance.This publication may be reused for noncommercial purposes if the source is cited as IFC, a member of the World Bank Group. 3 Other countries’ policy makers and regulators have sought to clarify the position by agreeing that not all ICOs would be required to comply with the same investor protection laws as would be the case with an initial public offering. This has led to real difficulties for organizations that wish to use tokens in a legitimate way and are committed to complying with the regulatory regime wherever the token is made available. These organizations must deal with varying approaches across different countries, and the position also looks set to changepotentially very significantlyover the next few years. These problems are particularly stark when one considers the reasons organizations wish to adopt cryptocurrency as part of their infrastructure. The traditional s of raising capital to fund the growth of a business are debt financing and equity financing. This is clearly seen by both sides as a transaction in which the lender or investor should expect some of return if the business is successful, but with an appreciation of the risk involved, particularly with early stage businesses. An organization wishing to sell tokens may be seeking investment, yet it may also be attempting to build a user base through a network effect. If the organization is looking for an investment, it is perfectly reasonable for regulators and policy makers to expect it to comply with the usual investor protection laws; it would not seem equitable for an organization using cryptocurrency to circumvent these laws where the money raised from the tokens is an investment. However, it is often the case that organizations using a token model want to build a network of users by offering cryptocurrency to use within the particular ecosystem being built. The objective in this case is to encourage people to become users of the organization’s services, with the cryptocurrency used to pay for their provision. If the organization proves successful, the value of the token should increase accordingly, as usually there is a finite amount of the new currency sold. In this way, it is the users of the ecosystem who can contribute to and benefit from its success and popularity, rather than equity investors. These types of tokens are often referred to as utility or consumer tokens, in that they are designed not as an investment but rather a device or currency to consume or use a particular service. In many jurisdictions, regulators have acknowledged that there is a place for such tokens, and that they may not be regulated as an investment. A difficulty arises when organizations wish to sell tokens both to potential users of the system utility tokens and to organizations that do not intend to use the prospective service for example, an investment bank or a venture capital company. Other challenges arise when the purchaser of the token buys many more tokens than the purchaser could possibly use or where there is no usable service at the point when the token is issued. Utility tokens that are sold as investments blur the line between what is regulated and what is not regulated, making it uncertain which regulations an organization must comply with in each jurisdiction in which a token is offered for sale. These issues, together with the lack of a consistent global regulatory environment, can make it very challenging for those organizations that wish to benefit from the creation of their own crypto asset. There are many reasons why such organizations may want to create their own crypto asset, such as the payment and settlement systems example and the benefit of the network effect mentioned above. Privacy and data protection The issue of privacy and blockchain technology has been intensely debated. Many practitioners and academic commentators have claimed that blockchain technology is incompatible with privacy laws such as the EU General Data Protection Regulation, or GDPR. 7 As mentioned above, the original purpose of blockchain was to facilitate peer-to-peer transactions without the need of a central party. In a permissionless public blockchain system, no single party takes responsibility for the availability or security of a particular blockchain network, and all users of the system may have access to the data on the network. These attributes conflict with the thrust of privacy laws, which require the party controlling personal data of an individual to safeguard the security and privacy of that data on behalf of the individual or “data subject.” Both a controller the party that determines the purposes and means of processing particular personal data and a processor a party responsible for processing personal data on behalf of a controller, such as an outsourced service provider have distinct obligations under the GDPR, making it important to determine whether a party qualifies as a controller or a processor when processing personal data. With a cloud computing system, typically those uploading personal data to the cloud environment are the controllers and the operator of the cloud system is the processor. This is a key area in which blockchain systems differ. Many blockchain systems are operated by all the users in a peer-to-peer network environment, which makes it difficult to define whether users are controllers or processors. It is necessary to consider to what extent the different participants in the blockchain network are controllers based on their respective activities. Participants who personal data to the blockchain are more likely to be considered controllers under GDPR, as they determine the details of processing, whereas nodes that only process personal data are more likely to be processors, as they simply facilitate the blockchain network’s operation. However, this determination is not straightforward, as not all blockchain systems operate in the same way, and there can be different types of participants carrying out various activities.This publication may be reused for noncommercial purposes if the source is cited as IFC, a member of the World Bank Group. 4 The nodes in a blockchain system might be compared to autonomous systems on the Internet. Each autonomous system receives packets and routes them autonomously to another node, repeating until the packets reach their destination. The kind of processing that blockchain nodes per is arguably similar. The only purpose of the nodes is to ensure the in