Tokenization and Regulation: What Exists and What Is Needed?

Tokenization Regulation

What is a token from a legal and regulatory perspective?

June 2023

Justin McCormack
Head of Legal, State Street Digital®

As the wintry weather for cryptocurrencies continues, efforts to tokenize traditional assets, such as securities and real estate, are starting to create a break in the clouds. While cryptocurrencies and tokenized assets both rely on tokens and distributed ledger technology (DLT), the key difference between the two types of tokens is what they represent.

Cryptocurrencies generally do not have any particular asset backing them, while tokenization of traditional assets is meant to use a token to represent a claim to a particular asset or right that has a verifiable value. From a legal and regulatory perspective, key questions in tokenization are whether the resultant token effectively represents the stated claim, whether transfers of such tokens will effectively transfer the legal rights that they represent and whether there is market infrastructure to support their use.

In this article, we explore the fundamental question of what is a token from a legal and regulatory perspective, including activities being taken by various legislators and regulators to help provide clarity. We then focus on security-related tokens and explore the concept of effective transferability, identifying certain limitations that currently exist in many financial markets, and how regulation can help address those items. Finally, we examine certain novel aspects for service providers and investors in security-related tokens, and how regulatory developments can provide some welcomed clarity.

What is a token?
As noted in the article The Property Law of Tokens1 by Moringiello and Odinet, the concept of using tokens has been around for centuries. More specifically, the authors note that there are “bodies of law that recognize the fact that possession or control of one thing, usually a piece of paper, may convey certain exclusive or relative rights in something else, which may be either an intangible right or a tangible asset.”2 One example of legacy “tokens” is negotiable instruments, which are governed by a legal framework that enables pieces of paper that satisfy specific requirements to “confer rights that are different from those conferred by an ordinary contract written on paper.”3

In the United States, this body of law is contained in the Uniform Commercial Code (UCC), which is a uniform law governing commercial transactions that is generally adopted by all states. The UCC is a statutory law that provides a framework for commercial transactions, such as transfers and security interests, enabling market participants to have confidence in the fact that a transferrable item representing rights to a particular asset or claim that meets the requirements of, and is transferred in accordance with, the law will be respected by other market participants.

With that baseline, the question then becomes whether a digital token created through a tokenization exercise will be respected under the law to represent the specified rights, including when transferred among market participants.

The Uniform Law Commission, the organization responsible for drafting uniform laws such as the UCC for consideration by the states, has addressed this by proposing a number of amendments to the UCC to accommodate certain digital assets. More specifically, the commission proposed a new Article 12, which introduces the concept of a “controllable electronic record,” which is “a record stored in an electronic medium that can be subjected to control” as defined under the act.4

As with other assets under the UCC, Article 12 also makes controllable electronic records subject to the so-called “take free” rule, which provides that a good faith purchaser who acquires control of a controllable electronic record without knowledge of any competing claims of a property interest in that controllable electronic record acquires it free of any such competing claims that may actually exist.5 This is the same treatment, for example, that applies to a negotiable instrument.

In addition to the creation of Article 12, the Uniform Law Commission also proposed a number of amendments to incorporate the concept of controllable electronic records into other relevant parts of the code, such as those governing security interests and securities intermediaries.6 Article 12 and these amendments are in the process of being reviewed by the states to consider adoption.

In the United Kingdom, the UK Law Commission published a consultation on digital assets7 that provisionally proposed the explicit recognition of a “third category” of personal property under English law (distinct from “things in possession” and “things in action”), which are referred to as “data objects,” to govern digital assets. Similar to the UCC, the UK Law Commission’s proposal also incorporated the concept of a “take free” rule for data objects. If adopted, this concept, as well as others, would facilitate orderly commercial transactions in digital asset tokens. The similarities to the UCC would also help in the promotion of consistency across jurisdictions, which is beneficial given the inherently cross-border nature of digital assets.

In the European Union (EU), while a comprehensive regulation governing the provision of services with respect to certain digital assets, referred to as the Markets in Crypto-Assets regulation (MiCA), has been finalized and is expected to be adopted in the coming months, the commercial law aspects of tokens have not been addressed bloc-wide. However, there are certain jurisdictions within the EU that have adopted local frameworks to recognize the ability to use tokens for the representation and transfer of unlisted securities. One of the leading jurisdictions is France, through its amendment of the French Financial Code (Code monetaire et financier)8 to enable issuers to issue security tokens in registered form (not bearer form) provided that they are not listed on an exchange or admitted to the operations of a central securities depositary.9

In addition, Luxembourg similarly has adopted legislation10 supporting a framework in which the issuance, conversion or transfer of dematerialized securities can be affected by registering the securities through the use of accounts on DLT.11 Of note, the European Investment Bank (EIB) has conducted two separate fully digital native bond offerings to date, one under French law and the other under Luxembourg law.12

Finally, through adoption of the German Electronic Securities Act (Gesetz über elektronische Wertpapiere – eWpG),13 issuers can now issue dematerialized securities through entry of those securities into an electronic securities register, which can be maintained solely on DLT by a crypto securities registrar.14 The ability to issue securities in such token form is currently limited to bearer bonds and fund units to the extent not listed on an exchange or admitted to a central securities depository.15

Security tokens and transferability
With an understanding of how to consider the legal rights embodied by a token, it is then important to evaluate how those tokens can be used. As noted above, a key use case for tokens is security tokens. While the ability of a token to represent a security is addressed in a number of jurisdictions, transferability of those tokens is subject to a number of limitations that will need to be addressed in order to facilitate broader adoption of DLT in the securities issuance and transfer process. These limitations include restrictions on the ability to list natively-issued security tokens on regulated exchanges as well as challenges for broker-dealers in complying with certain aspects of the existing regulatory framework for trading of securities.

For example, while France, Luxembourg and Germany have all adopted legislative frameworks for security tokens, those frameworks do not apply to listed securities handled through a central securities depository. A key factor in this limitation is Article 3(2) of the EU Central Securities Depositories Regulation (CSDR),16 which states that securities can only be listed on a trading venue if they are recorded in book entry form on a central securities depository.

In the US, the existing regulatory framework for secondary trading of listed securities requires the involvement of a number of intermediaries, including registered broker-dealers. Attempting to reconcile the operation of DLT with certain requirements to which broker-dealers are subject to, raises a number of questions, including how to demonstrate possession and control of customer securities.

In an effort to help address some of these questions, the Securities and Exchange Commission (SEC) issued a statement in February 202117 that created a five-year sandbox-like environment, whereby, if a broker-dealer complied with the framework, they would not be subject to an enforcement action for failing to comply with possession and control requirements. Some of the conditions to the framework are not easily met, such as the requirement that the broker-dealer limit its business to digital asset securities only, but its existence may prove useful if the creation and trading of security tokens becomes more widespread.

Service provider considerations for token holders
An additional relevant factor in the widespread adoption of security tokens is the existence of reputable service providers for needed investment services, such as securities exchanges, custody and related services.

Exchanges: Widespread adoption of security tokens will require the ability to trade the assets on multilateral trading venues. The exchange model that has developed for cryptocurrency tokens typically requires investors to pre-fund their exchange accounts before executing a trade. The SEC recently proposed a rule18 under the Advisers Act of 1940 that would call this model in to question for DLT tokens generally (i.e., both cryptocurrencies and security tokens). While the proposal contains a number of changes that are beyond the scope of this article, in the context of digital assets, the change to the definition of who would be eligible as a “qualified custodian” would have a significant impact on the pre-funded trading model.

Advisors would be required to hold all of their managed assets (not just funds and securities as is the case under the current rule) with a qualified custodian at all times. Commentary to the proposal provides, however, that many of the existing crypto asset exchanges would not be eligible as qualified custodians. As a result, the current DLT token trading model requiring pre-funding of trades would not be permissible for assets, whether cryptocurrencies or security tokens, managed by a registered investment advisor.

All is not lost, however, as there are a limited number of SEC-registered alternative trading systems that support the trading of digital asset securities without requiring pre-funding.19 Further review will be needed to determine the efficacy of these models, but at least they provide an avenue of exploration that could facilitate wider adoption of tokenization of securities.

Custody: Custody banks, such as State Street, have a long history of providing safekeeping services for their clients on the basis of a clearly established body of law and regulation that defines and supports the client’s ownership rights over assets held in custody. In the banking industry, the safekeeping of client assets incorporates three core principles which are designed to effectively manage the potential risk of misappropriation or loss of assets.

These principles can be summarized as follows:

  • Separation of Financial Activities:
    Safekeeping operations must be functionally separated from trading and other similar market activities.
  • Segregation of Client Assets:
    Client assets must be segregated at all times from the bank’s proprietary assets to help ensure that they are bankruptcy remote.
  • Proper Control:
    The custodian must maintain proper control over client assets in order to identify the entitlement holder and to mitigate any “single point of failure” in the record of ownership.

These principles apply equally to security tokens on DLT. While the first two items are relatively straightforward, custodians may not be clear as to how to provide evidence of control over security tokens. The core focus of such control will likely hinge on private key management practices. Qualified custodians who are pursuing development of digital asset custody solutions will undoubtedly be focused on designing robust key management solutions and will be looking to ensure they meet relevant regulatory expectations.

In the commentary to the SEC proposed rule referenced above, the SEC provided some clarity on its expectations on this topic: For example, under the proposed rule, a qualified custodian would have possession or control of a crypto asset if it generates and maintains private keys for the wallets holding advisory client crypto assets, in a manner such that an adviser is unable to change beneficial ownership of the crypto asset without the custodian’s involvement.

While this is just a proposal, it does provide some guidance to market participants as they design their systems to be able to service the expected growth in tokenized assets.

Depositary: Certain collective investment vehicles in the EU are required to engage a depositary to provide safekeeping. A depositary’s obligations include, among other things, recordkeeping, ownership verification and, where the asset in question is a financial instrument to be held in custody, custody of such asset. While MiCA and certain European national laws provide some guidance on effective custody of digital assets, the ownership verification requirement is more challenging.

To the extent the rights embodied in the token or the legal status of the token are not clear in a particular jurisdiction, it may be difficult for a depositary to assume the obligation to verify ownership of such token. Efforts made to clarify the legal status of tokens, particularly in the case of security tokens such as noted above, as well as guidance from local regulators on best practices for ownership verification will help facilitate the development of depositary services for tokenized assets.

Financial infrastructure technology is evolving; the regulatory and legal framework needs to evolve as well
The technology powering the global financial market infrastructure is rapidly evolving with the growth of DLT. The core application of such technology in financial markets is tokenization of traditional assets, such as security tokens. Broad adoption and use of security tokens requires the development or confirmation of a commercial law framework for the rights embodied by a token and their ability to be transferred with legal effect; the development of market regulations supporting the trading of such instruments and regulatory clarity on how service providers can meet their obligations while interacting with the new technology. A number of these issues are challenging, but steps are being taken in a number of jurisdictions as noted above to begin the evolution of the regulatory and legal framework.


Stay Updated

Please send me State Street’s latest Insights.