ICOs and their Regulatory Implications, Question and Answer with Business Analyst Alex Rogers

Posted by Shirjeel Fahid on 08-Jan-2018

Q&A Alex Rogers: ICOs and their Regulatory Implications

To find out more about this topic, we speak with our Business Analyst, Alex Rogers.



Can you explain briefly what an ICO is and how it differs from other forms of capital-raising?

An ICO or Initial Coin Offering, is a means for start-up businesses to raise capital for a blockchain-based project. A company issues a cryptocurrency and trades this for either fiat money or a more established and therefore liquid, cryptocurrency such as Bitcoin or Ethereum.

How this differs from other forms of fundraising, such as an IPO, is primarily threefold:

  • Timing: Whereas a company looking to launch an IPO is usually at an advanced stage in its development, a company looking to launch an ICO may not even have a working product, rather relying on a blueprint for what that product will become, in the form of a whitepaper;
  • Equity: In an IPO, a company issues shares to investors in exchange for their investment and these shares carry ownership in the company. In contrast ICO tokens do not confer ownership;
  • Regulation: IPOs are subject to rigorous compliance requirements that are used to ascertain the strength of a company and that its shares are suitable to be listed on the particular exchange. Even unregulated markets have detailed requirements with which companies should demonstrate compliance before listing becomes a possibility. By contrast, the cryptocurrency market in general and ICOs more specifically are unregulated. This is advantageous from a company’s perspective in that it can raise large amounts of capital to quickly fund its product without having to comply with potentially prohibitive regulatory responsibilities. Also, as aforementioned, investors in an ICO do not have equity in the company, making it very attractive to companies in terms of retaining control. This does however mean that investment in ICOs is a potentially highly risky from an investor point of view. The advantage is that the ROI can make it one of, if not the most profitable forms of investment. If you take the average return on the S&P 500 since its inception in 1928 being 10% and compare that with the rate of return on to take one example, the ICO that launched the blockchain platform Ethereum, whose ICO price was $0.311 per token compared with a current price of $1154.390, representing a 370,586% ROI, this is illustrative of why ICOs have captured investors’ imaginations. Investment in ICOs can be summed up in one phrase: extremely high-risk and (potentially) extremely high-reward.

Another form of capital-raising from which ICOs differ and to which they are sometimes compared, is crowdfunding.

The primary difference between crowdfunding and ICOs is the lack of an intermediary in ICOs. Where money is raised via for example Kickstarter or Gofundme, the platform is the conduit between investors and the company: Kickstarter must give the company raising the funds the money that has been raised, and investors rely on Kickstarter to deposit the funds with the company or issue them with refunds if the project does not reach its goal.

An ICO removes this third-party: investors directly fund the company carrying out the ICO and the company, not a third party, is responsible for returning funds in case the target amount is not reached.

This is in addition to the fact that crowdfunding platforms are usually registered and in compliance with applicable regulatory regimes, for example the JOBS Act in the US, again unlike ICOs.

Finally, people donating to crowdfunding projects do not generally expect to be rewarded. In contrast, ICO token holders expect the issued tokens to carry some utility, either by allowing them to use the token to access future services on the platform or participate in the running of the blockchain e.g. staking tokens to verify transactions on the blockchain and thereby gaining the reward of more tokens. The most common reason investors invest in an ICO is that they hope the value of the issued token increases, yielding them a profit.

Can you explain briefly how an ICO works?

A: company looking to undertake an ICO will publish a whitepaper explaining how the blockchain-based project will satisfy a particular need.

Whereas in an IPO a company will issue shares and sell these on a specified market, in an ICO a company will create a new digital currency and then give these in exchange for investment.

Although, as pointed out, the tokens do not confer ownership and nor do they entitle the owner to dividends, nevertheless if the company is successful in creating a product, its tokens will increase in value: indeed, in many cases these tokens can increase in value based purely on speculation.

A key component of how ICOs actually create and distribute tokens, as well as receive funds, are smart contracts.

A smart contract is essentially a computer programme that is stored on a blockchain. The smart contract executes certain outcomes (e.g. issuing tokens) on the completion of specified events (e.g. receiving funding for said tokens).

In this way, smart contracts can be utilised to create and distribute digital tokens during an ICO.


What is the current size of the market?

ICOs raised in excess of $5.6bn last year, with $1.2bn raised in December 2017 alone, up from $222m in 2016 and $14m in 2015, so the growth has been exponential. This number is still less than the sums raised by traditional VC investment in the same period, but the gap is getting smaller. The rate of increase does suggest that the ICO market could challenge traditional VC investment in the future unless this growth is curtailed by regulatory issues or potentially newer and more effective means of raising capital.


How secure are ICOs and can Cognosec assist in the security aspect?


This is largely dependent on whether the teams involved take sufficient precautions. Due to the unregulated nature of the market, there are no universal strict rules by which companies have to abide, rather a series of best practices and it is currently largely up to the companies themselves as to whether and to what degree they apply them.

As a famous example of what can go wrong: the DAO (Decentralised Autonomous Organisation) was an ICO-based online venture capital fund built on the Ethereum blockchain that was hacked due to a flaw in the smart contract code. Of the over $150m raised, $55m was stolen: the funds were recovered but this necessitated a hard fork in the Ethereum blockchain (essentially rendering the offending transactions retroactively invalid on the Ethereum blockchain). A hard fork is not a step that would be open to most companies and so any company considering an ICO should include smart contract auditing as part of its budget.

Cognosec has extensive experience in penetration testing and traditional source code analysis and, due to R&D forming a cornerstone of our business development, our technical staff are well-versed in Solidity (the programming language of the Ethereum blockchain) as well as more traditional languages such as Java and Python that can be used to create smart contracts on other blockchains. As such, we are uniquely placed as a Nasdaq-listed company that can offer auditing services for every aspect of a blockchain-based project: this includes smart contract auditing for an ICO.


What has been the regulatory response?

Due to the speed with which ICOs have become prevalent, there has been precious little in the form of specific regulation.

However, regulation is coming: this has been presaged by the fact that ICOs have been banned in China and South Korea, and in the U.S. the law dictates that only accredited investors can be involved in private placement of securities. The question of whether or not ICO tokens constitute securities is part of an ongoing discussion but ICOs have generally erred on the side of caution and closed token sales to U.S. investors unless an exemption applies.

There is legitimate cause for concern: for example, AML/KYC has not traditionally been carried out by companies conducting ICOs and this means that there is a danger that funds could come from nefarious channels.

Any company raising large amounts of funds without carrying out necessary checks is risking criminal sanction. There are technical solutions, such as third-party plug-in software that can carry out AML/KYC on the company’s behalf, but the rate of adoption of these as well as effectiveness is not yet documented.

The response from China has been unequivocal, referring to ICOs in September 2017 as ‘a form of unapproved illegal public financing behaviour’.

The U.S. referred to the tokens issued in the DAO as constituting securities and therefore subject to SEC regulation, although pursued no further action against those involved, likely due to the unclear regulatory framework around ICOs. By declaring these tokens as constituting securities, they have however created a precedent when it comes to token sales to U.S. investors. Companies will have to be wary in future or face potentially serious consequences.

The SEC initially issued an investor alert stating that trading in ICOs was a high-risk activity, and this was followed by charging two companies on September 29th that raised $300,000 from investors with fraud and selling unregistered securities: the person behind these, Maksim Zaslavskiy, was charged with defrauding investors.

Many ICOs have worked around the above issues by simply barring people from the aforementioned countries from participating in token sales or in the case of the U.S. relying on exemptions such as those existing under SEC regulation to allow some institutional investors to participate. This is an imperfect solution as even if geolocation is used to block e.g. Chinese citizens, this can bypassed via VPN or proxy.

The EU and the UK are already in the process of consulting and potentially drafting legislation that will seek to regulate the cryptocurrency space potentially before the end of 2018, and this would certainly incorporate ICOs.

Another effect of a harsher regulatory regime may be the movement of ICO operations to ‘safe haven’ territories, where the regime is for the moment, lighter touch. Countries such as Japan, which recently passed a law accepting bitcoin as a legal payment method, and Switzerland are developing reputations for being more open to blockchain-based start-up projects, although how long this will continue is debatable.

A key question in the U.S. is whether ICO tokens are indeed securities for the purposes of the SEC. In response to this, in October 2017 the New York law firm Cooley LLP, backed by Protocol Labs (who were behind the largest ICO in the space raising $252m, Filecoin), created a legal framework for ICOs called a ‘Simple Agreement for Future Tokens’ (SAFT).

SAFT would potentially allow ICO token sales to comply with US securities law. It argues that ICO tokens can under certain circumstances fail the test required to ascertain whether a financial instrument constitutes a security, the Howey Test. Specifically, if a token is only delivered to investors after a functioning product/service exists and the token is a genuinely useful part of a functioning network, then the token would not constitute security.

What does not exist currently is an objective measure of what would constitute a functioning entity and a ‘genuinely’ useful token. As things currently stand, tokens from successful ICOs are delivered to investors immediately after the token sale and before a product exists, and these are then traded on secondary markets. As these tokens are pre-functional, they satisfy the requirement of the Howey Test, namely that people purchase it on the expectation of profit from the efforts of others.

The SAFT functions as a written promise that a company can give accredited investors such as VCs, wherein they will issue tokens for a future product in exchange for immediate funding. This allows the company to secure funds immediately and without violating US securities laws, and allowing VCs to invest in potentially profitable projects.

The Filecoin ICO that took place under SAFT appears unlikely to attract the criminal sanctions that befell the Zaslavskiy ICOs, which indicates that the larger more sophisticated ICOs may still flourish. If SAFT is accepted, this could change the landscape considerably and perhaps pave the way for more institutional money to flow into the ICO space.

This approach, if validated, would open up direct investment from US investors to ICOs, which would provide a huge boost to the overall market.


What are the potential issues with ICOs from the basis of a company looking to launch one?

One is source of funds: one of the criticisms of cryptocurrencies generally and the dangers of ICOs in particular is that due to their relatively anonymous nature, they are a potential avenue for money laundering or financing crime e.g. terrorism.

In response to this there exist companies such as KYC-Chain that perform due diligence on ICO investors, but due to the unregulated nature of the space it is difficult for companies to ascertain who is trustworthy enough to provide an audit in the first place.

Auditing is therefore an essential consideration for companies wishing to undertake an ICO. The issue of source of funds is therefore one part of the wider compliance that companies must be aware of if they are to undertake an ICO.


How can Cognosec assist companies looking to undertake an ICO?

As a Nasdaq-listed company with significant experience in the financial and technological sectors and accreditations across a variety of jurisdictions and industries, we are well placed to provide companies with a full ICO compliance solution, offering technical auditing as well as regulatory compliance across relevant jurisdictions.

Our combination of technical security expertise and regulatory compliance experience from a listed entity is unique in the cryptocurrency space: while there is exciting growth in this sector the potential hazards for both investors and companies themselves are plain and this is where Cognosec can add value, by being a holistic security and compliance solution.

The landscape is currently unclear but the fact remains that ICOs are currently a viable means for companies of raising large amounts of capital in a short time and that in the absence of a clear regulatory picture, companies undertaking ICOs are advised to take every precaution they can and paramount in this is ensuring the security of their platforms, exercising due diligence at every step and being able to demonstrate every attempt at compliance: Cognosec, with proven experience in both the cyber security and regulatory compliance fields is ideally placed to assist.

Topics: cryptocurrency, ico, blockchain, cybersecurity

Recent Posts

Securing The Future

Cyber Insights

Stay up to date on the latest developments in cybersecurity with the Cognosec blog. 


  • We help organizations reduce cyber risks and become resilient to attacks by assessing their processes, procedures and systems for non-compliance and vulnerabilities. 

  • We assess, design, implement and manage solutions that protect critical IT infrastructure and data assets.

  • We are a NASDAQ-listed, agile EMEA company operating across the public and private sectors.

Subscribe to Cognosec News