The regulation of crypto-assets in the EU – investment and payment tokens under the radar

Based on the guidelines issued by the European Securities and Market Authority and by the European Banking Authority, the article deals with the legal qualification of blockchain-based crypto-assets under EU law. Focusing on crypto-assets that function as a) investment instruments (that is, investment tokens) and as b) electronic money (that is, payment tokens), the work outlines shortages and drawbacks in the applicability and enforcement of existing EU legal frameworks regulating investment activities and payment services. With such analysis, the article seeks to inform the ongoing debate within European institutions on the need of regulatory intervention in this area, and it points out pressing questions to be tackled by further research.


Introduction
Blockchain technology, with its fundamental proposition of transparency and cryptographicallysecured systems of rights' enforcement, has fuelled hyped attention across many areas, spanning from trade to copyright protection. In so far, however, the most widespread and disruptive innovation introduced by the technology remains so called cryptocurrencies and, more in general, the possibility to create units of value that circulate on a world-wide, peer-to-peer digital network.
Rooted into open-source cultures, the raise of blockchain-based financial networks expresses a neo-libertarian response to the post-2008 crisis of trust in political and financial institutions. 1 Among the speculations on what this technology could deliver, is the believe that it can nurture new, horizontal socio-economic organizations 2 and help increase transparency in institutional processes. 3 The development of the industry, however, shows that the inherent values of decentralization and transparency are increasingly challenged at all layers of the socio-technical blockchain stack. 4 Without the appropriate legal safeguards, the 'privatisation of money' that blockchain enables could entail the concentration of financial and political power in the hands of few unaccountable actors. 5 When new 'disruptive' technologies emerge, regulators must identify inherent risks and develop policy strategies to balance the various interests that innovation touches upon. To do so, it is critical to take distance from techno-solutionism and look beyond the ideological narratives on 'decentralized money' as emancipatory social artefact, to scrutinise how actual entities, economic relationships and technological solutions develop vis-à-vis existing institutions and market players.
In light of the rapid development of the blockchain industry and of the interest, from the part of European institutions, in promoting the use of the technology for financial applications (FinTech), the present work provides an overview of the most important legal frameworks that are applicable to blockchain-based financial applications under European law. Exposing shortages and drawbacks in the applicability of existing regulation, the study seeks to inform the current debate on the need of regulatory intervention at the EU level in this domain.
To bring the reader into context, Section 2 introduces the notions of crypto-assets, their use cases and the main legal issues emerging around them. Section 3 deals with the legal qualification of crypto-assets under the EU legal framework, describing the typology of tokens accepted by EU financial institutions. Section 4 and Section 5 draw on the guidelines issued by the European Securities and Market Authority (ESMA) and by the European Banking Authority (EBA) to provide an overview of the legal treatment of tokens that qualify as investment instruments and as electronic money. In this context, legal and enforcement issues raised by blockchain-based financial applications are outlined. The conclusion summarises the major findings and highlights issues of relevance for policy development and further research.

Crypto-assets: definition, use cases and legal issues
Blockchain-based tokens can be described as digitally scarce units of value the properties and circulation of which are prescribed via computer code. As their possible uses are potentially unlimited, the present paper will use the term 'crypto-asset' to encompass the wide variety of virtual currencies, virtual assets and digital tokens that blockchain can support.
The first cryptocurrency, Bitcoin, was created to function as a means of payment, but it quickly turned into a store of value subject to speculative interests. Later experiments such as the Ethereum project expanded the functionalities and diffusion of crypto-assets building upon 'smart-contracts' solutions, easing the ability to create and circulate digital tokens 'on-demand'.
In mid 2018, the 'token economy' reaches significant weigh in terms of market capitalisation. 6 Tokens are created and distributed by firms and platforms with a variety of purposes. Primarily, they can grant users access/participation to online services; they can serve as a means of payment or assure the right to purchase products; or they can represent a stake in the issuer's company, eventually conveying ancillary rights such as voting within the platform's governance system. 7 Based on these functions, crypto-assets are commonly conducted under three main categories -i.e. utility, payment and investment tokens (see below for a description of such categories) -each of which implies specific legal consequences.
Already since 2017, crowdfunding schemes based on DLTs -so called Initial Coin Offerings (ICOs) -have gained world-wide visibility. ICOs consist in the public sale of tokens over online websites and platforms, aimed at collecting funds for the initial development of a project or startup. Users' participation in ICOs is motivated by the willingness to support a project and/or by the expectation of future profits deriving from the increase in value of the token. Unless specific limitations are in place, in fact, tokens can be traded on cryptocurrencies exchanges, with direct access to a voluminous secondary market. 8 Because of their purely digital nature and disconnection from traditional financial instruments and venues, ICOs have developed into a grey regulatory area, often out of the scope of existing legal frameworks. Usually they take place without applying the rules governing the public placement of securities 9 and without involvement of traditional financial intermediaries. This allows to cut part of the legal compliance costs, 10 which makes this form of crowdfunding suitable for startups and innovative businesses -including fraudsters -that could find it difficult, too costly or unappealing to access traditional funding channels. 11 6. ICO Watch List, 'ICO Statistics -By Year (2018) European institutions and Member States have started various initiatives exploring blockchain's potential in the financial sector. 12 However, regulators also perceive that blockchainbased financial activities cannot continue to evolve in a legal vacuum, as they raise serious risks related to consumer/investor protection, market integrity and financial crimes. 13 Regulators and supervisory authorities, therefore, are tackling questions on the legal treatment of crypto-assets and looking for strategies to enforce regulation on the businesses emerging around them.
To understand how to support the development of the industry while ensuring appropriate legal oversight, European as well as National Competent Authorities (NCAs) have opened public consultations and issued extensive reports on crypto-assets. 14 On one side, legislators are willing to encourage the 'token economy' as a positive 'long-term trend', avoiding burdensome regulation that could jeopardise the industry and displace the market for investments. On the other, they recognise that legal safeguards and regulatory certainty must be in place, not only to guarantee investor protection but also to ensure a sustainable development of businesses and of the whole ecosystem. 15 Moved by the intent of maintaining a precarious balance between liberal positions and legal protections, European institutions have so far adopted a 'wait-and-see' approach, refraining from sentencing on the proper regulatory strategies to be adopted. But in the meantime, some national initiatives threat to fragment the legal framework across the Union. 16 EU policy-makers are concerned that not only a European but an international approach would be necessary to effectively regulate these new financial networks. 17 As crypto-asset's market players operate globally, in fact, regulatory and enforcement efforts at a national level might push firms towards less regulated jurisdictions. This would imply missing market opportunities, as well as jeopardising investor protection, because tokens can be sold to European investors from other jurisdictions as well. Given this risk of regulatory arbitrage, a balanced regulatory approach is preferable in order to bring crypto-assets and related businesses under the EU jurisdiction and enforcement capacities.

A (precarious) taxonomy of crypto-assets
Key to the definition of the appropriate legal treatment for blockchain-based tokens is the identification of the legal categories under which -based on their specific functions -tokens can be collocated. As blockchain-based digital assets can be created for different purposes and perform a variety of functions, they can potentially fit multiple legal categories.
In absence of an agreed upon, comprehensive taxonomy of crypto-assets, European financial authorities follow a widely-accepted classification that distinguishes tokens in three main classes: payment, utility and investment tokens -based on the different functions that tokens can perform.
Payment tokens are meant to be used as means of payment for goods or services external to the platform on which they are issued. In practice, however, the suitability of cryptocurrencies to be used as means of exchange is often hampered by the high volatility in price 18 and/or by the 'fees' that users must pay for miners to validate transactions. 19 Even if they typically do not confer further associated rights, cryptocurrencies such as Bitcoin and Litecoin, designed as means of exchange, can generate profit through increase in price, and be purchased for investment purposes. 20 Investment tokens are considered in some ways equivalent to shares, bonds, or units in collective investment vehicles, as they promise investors future financial benefits and/or rights in relation to the project they are attached to. Typically, investment tokens are issued -in exchange of dollars/ euros or other crypto-assets -in context of ICOs in order to raise initial capital for projects. Investors expect financial benefit from the increase in market price of the token/share, but can also be promised distribution of future company's profits (similar to distribution of dividends) and/ or voting rights.
Finally, tokens can be issued to grant users access to a platform, the use of a service or the right to purchase a product. These are so called utility tokens, an example of which is Filecoin. Attached to a decentralized storage network, Filecoin tokens function as a reward for users providing storage space to the network, and can be spent to store and retrieve data thereon. 21 The flexible design of digital assets implies that they can combine these functions with each other. For instance, tokens that are distributed for utility purposes can imply an investment component as well. 22  The hybrid character assumed by many crypto-assets causes definitional confusion and creates challenges to the identification of the proper legal tools to be applied. Ultimately, to determine the legal treatment of a token, it is necessary to adopt a 'substance over form approach' that looks at its actual functions in specific circumstances and moments in time. 23

A. Crypto-assets as 'transferable securities' under MiFID II
The qualification of crypto-assets as 'financial instruments' 24 (or more precisely as 'transferable securities') is crucial as it determines the applicability of an extensive set of European and national legal instruments that regulate the EU financial market and the activities/services provided therein. Such rules include the legal frameworks set out by the Markets in Financial Instruments Directive (MiFID II) 25 and the Markets in Financial Instruments Regulation (MiFIR) 26 , the prospectus regime established by the Prospectus Regulation 27 and the Prospectus Directive, 28 the Market Abuse Regulation, 29 the Transparency Directive, 30 the Central Securities Depositories Regulation 31 and other legal instruments that apply to specific activities or types financial instruments.
The question of whether tokens can fall within the scope of security regulation has been addressed for the first time by the US Securities and Exchange Commission in the 2017 DAO authority recognized that even crypto-assets labelled as 'utility tokens' can be, based on 'the economic realities underlying a transaction', classified as securities and fall under the scope of the Security Act). Report. 32 In that occasion, the issue has been resolved applying the Howey Test, which defines the boundaries of 'investment contract' as a catch-all class of securities. 33 Under the Howey Test, developed by the US Supreme Court in SEC v. W.J. Howey Co., 1946, an investment contract for the purposes of the Securities Act means a contract, transaction, or scheme entailing (a) an investment of money (b) in a common enterprise (3) with a reasonable expectation of profits (4) deriving from the efforts of the promoter or of a third party. 34 The criteria established by the test allows to identify with a flexible and substantial approach those investment activities that -characterized by financial risk and potential information asymmetries -justify the applicability of security law requirements, such as the registration of a prospectus with the SEC. Similar to the concept of 'investment contract', the category of 'transferable securities' under EU law does not have fixed boundaries. Article 4(1)(44) MiFID defines 'transferable securities' as 'classes of securities which are negotiable on the capital market, with the exception of instruments of payment'. The article provides an explanatory list of what constitute a security, namely, (a) shares in companies; (b) bonds or other forms of securitised debt; and (c) 'any other securities giving the right to acquire or sell any such transferable securities'. 35 Similarly to the approach set out by the Howey Test, EU Courts and financial authorities deploy a set of functional criteria to identify what constitutes a security for the purpose of MiFID and ancillary legislation. In particular, based on an interlinked reading of the Prospectus Regulation and of MiFID, securities are characterised by the features of tradability; negotiability on capital markets; 36 and standardization. Moreover, they need to present a functional comparability with other forms of security debt, 37 meaning, essentially, that they must incorporate a financial risk.
Transferability is meant as the ability to transfer the ownership of the unit from one person to another, regardless of the existence of any documentation or registration of such ownership. Blockchains allow individuals to transact and store value in digital wallets protected by private keys; a person or entity having legitimate control of the private keys can prove ownership of the assets associated with the latter. Given that contractual restrictions do not suffice to exclude the transferability feature, 38 tokens will fulfil this requirement as long as their transferability is not precluded at a technical level. Negotiability entails a de facto 'capability of being treated' on a capital market. 39 Such capability is demonstrated by ongoing practices of crypto-assets trading. The ease with which tokens are traded on dedicated online exchanges shows their suitability to capital markets modes of selling and buying. 40 According to the CESR Technical Advice on the MiFID, 41 standardisation implies that issued units share a number of characteristics that allow them to be considered a homogenous class. To determine whether crypto-assets are sufficiently standardized it does not matter that crypto-assets, as a whole, do not constitute a homogeneous class of instruments. Standardization must be assessed at the level of individual issuers: 42 tokens must be offered by a single issuer as standardized, fungible units. 43 Hence, unless tokens are embedded with claims and rights which make them individually different from each other, crypto-assets present the feature of standardization.
Finally, to assess the last, functional requirement, an inquiry must be made on whether tokens resemble the types of transferable securities listed in MiFID by means of example, and whether they rise financial risks for investors as to justify the applicability of prospectus rules. The answers to these questions need to be based on a case by case overview of issued cryptoassets. It is, however, a shared opinion that tokens can, in some situations, resemble shares or bonds, 44 and they indeed present a financial risk which entails the need to mitigate information asymmetry. 45 This is confirmed, on one side, by the practice of publishing white papers, which have a similar purpose to that of prospectuses in enabling investors to make informed decisions. On the other side, the conclusion is reinforced by the ratio of the exemptions set out in the Prospectus Directive. The regulator, in fact, estimates that the information asymmetry justifying the need of a prospectus is alleviated -and prospectus rules are therefore not applied -when securities are offered only to qualified investors or to a limited amount of investors (fewer than 150), or if the denomination per unit or the consideration per investor is sufficiently high (at least EUR 100.000). 46 ICOs, on the contrary, are typically addressed to very large crowds of retail investors, hardly ever accredited by professional intermediaries, and the consideration of each investor is normally very low. As such, crypto-assets offerings are diametrically opposite to those situations exempted from prospectus rules.

B. Applicable legal instruments and enforcement issues
The qualification of crypto-assets as financial instruments brings them under the supervisory and regulatory competence of the European Securities and Markets Authority (ESMA), an independent EU Authority responsible for the supervision of financial stability and investors protection within the EU financial market. In light with its investor protection and supervisory convergence objectives, the Authority has put crypto-assets under its scrutiny, with the aim of identifying potential threats and suggesting the appropriate strategies for EU and national policymakers in its area of competence. Following a 'substance-over-form' and 'case-by-case' approach, ESMA opens the possibility for crypto-assets to qualify as securities under the EU legal framework, and it establishes that, in such cases, the legal framework set out in MiFID II applies.
This view is in line with the principles that regulation should be technology neutral and that 'same rules' should apply to 'same businesses'. However, the application of the MiFID legal regime might be easier said than done. Existing rules have not been drafted having in mind the specific features of crypto-assets, nor the business models of the key intermediaries that are emerging in the ecosystem. Hence, supervisory and enforcement issues are likely to arise. The present section explores some of the EU legal instruments that become relevant when crypto-assets qualify as financial instruments, exposing related enforcement issues in the context to blockchainbased financial applications.

The markets in financial instruments directive framework
The Markets in Financial Instruments Directive framework (MiFID II), is composed of a directive (MiFID II), a regulation (MiFIR) and related implementing acts. The MiFID II framework establishes obligations for firms providing investment services/activities in relation to financial instruments as defined by the directive. In particular, under this framework, such firms need to be authorised as investment firms 47 by NCAs, and comply with specific requirements, including organisational, conduct of business, consumer protection, transparency and reporting rules.
The applicability of MiFID II requirements to entities engaging with crypto-assets will vary depending on the type of service/activity provided and the kind of financial instrument in question. In its advice, ESMA assesses the applicability of MiFID II to platforms involved with trading in crypto-assets. As these platforms perform trading and settlement in various manners, their legal treatment should be differentiated accordingly. Platforms that keep a central book and/or match orders are likely to qualify as 'multilateral systems', 48 and should therefore operate as Regulated Markets (RMs) 49 under Title III of MiFID II, or as Multilateral Trading Facilities 47. Article 4(1)(1) of Directive 2014/65/EU defines 'investment firm' as 'any legal person whose regular occupation or business is the provision of one or more investment services to third parties and/or the performance of one or more investment activities on a professional basis'. 48. Article 4(19) of Directive 2014/65/EU defines 'multilateral system' as 'any system or facility in which multiple thirdparty buying and selling trading interests in financial instruments are able to interact in the system'. 49. Article 4(1)(21) of Directive 2014/65/EU defines 'regulated market' as 'a multilateral system operated and/or managed by a market operator, which brings together or facilitates the bringing together of multiple third-party buying and selling interests in financial instruments ( . . . ) in a way that results in a contract, in respect of the financial instruments admitted to trading under its rules and/or systems, and which is authorised and functions regularly and in accordance with Title III of this Directive'.
(MTFs) 50 or Organised Trading Facilities (OTFs) 51 under Title II of the directive. Operators dealing on own account and executing orders against their own capital -that is, acting like brokers/dealers -, instead, should comply with the requirements set out in Title II of MiFID II. Finally, platforms that are merely used to advertise buying and selling interests can be treated as bulletin boards, out of the scope of MiFID II as of Recital 8 of MiFIR. The ESMA recognises existing barriers to the factual applicability of the MiFID II and MiFIR rules to firms operating in the crypto-assets market. For instance, the obligation to verifying investors' reputation, trading ability and competence is hardly compatible with the dominant practices of crypto-assets trading venues. Since no professional intermediation takes place in crypto-assets financial activities, the assessment should be carried out by the platforms/issuers themselves. Due to the large number of investors, such task would be very resource intensive tasks. Moreover, as there is no formal entry barrier for investors (for example, normally, no minimal threshold for the investment is set), it is likely that most participants lack the necessary requisites to participate.
Regulated markets and MTFs are normally registered in identified venues. Crypto-assets, instead, can be issued and traded on websites without any legal entity's incorporation. This creates territoriality issues, further complicating the applicability of MiFID II requirements. As argued by Hacker and Thomale in relation to the applicability of the Prospectus Regulation, existing requirements 'should apply if the website can be accessed, and tokens bought, from computers located in the EU'. 52 However, even when territorial competence can be established, it is unclear how competent authorities can carry out the necessary monitoring of platforms' conduct of business, detect infringements and enforce potential sanctions.
The most relevant issues arise in relation to platforms deploying decentralised business models and relying on self-executing pieces of code for their operations (so called 'decentralised exchnages'). While this emerging type of platforms might mitigate traditional counterparty risks, 53 the fact that no accountable operator can easily be identified obstructs the enforcement of MiFID II requirements. Similarly, the ESMA identifies as problematic the qualification of hybrid platforms (for example, those that match orders but do not provide their executions) and the determination of the applicable rules.

The prospectus directive and regulation
The Prospectus Directive 54 and the more recently adopted Prospectus Regulation 55 are key regulatory instruments aimed at ensuring investor protection by mitigating information asymmetry within the EU financial market. In particular, the prospectus regime requires the approval and 50. Article 4(1)(22) of Directive 2014/65/EU defines 'multilateral trading facility' or 'MTF' as 'a multilateral system, operated by an investment firm or a market operator, which brings together multiple third-party buying and selling interests in financial instruments ( . . . ) in a way that results in a contract in accordance with Title II of this Directive'. 51. Article 4(1)(23) of Directive 2014/65/EU defines 'organised trading facility' or 'OTF' as 'a multilateral system which is not a regulated market or an MTF and in which multiple third-party buying and selling interests in bonds, structured finance products, emission allowances or derivatives are able to interact in the system in a way that results in a contract in accordance with Title II of this Directive'. distribution of a prospectus 'when securities are offered to the public or admitted to trading on a regulated market situated or operating within a Member State', 56 unless specific exemptions apply. Precisely, the prospectus rules apply to regulated secondary markets 'situated or operating within a Member State'; 57 and to entities issuing securities in the EU, even when incorporated in a third country and not listed in regulated secondary markets in the EU. 58 Under the regulation, the prospectus must contain all the information that are necessary for investors to make an informed assessment of the financial situation of the issuer and/or of guarantors, of the rights attached to the securities and the circumstances of the issuance. Before publication, the prospectus must be approved by the competent national authority, and it will be valid across all EU Member States.
Where crypto-assets qualify as transferable securities, their issuers and trading platforms operators -if located or operating in the EU -are obliged to fulfil the prospectus requirements. This conclusion seems to find confirmation in the ratio of the exceptions to the obligation of publishing a prospectus provided in Article 1(4) of the regulation. Beside the case in which the size of the offer does not trigger the applicability of the legal instrument, 59 the legislator exempts operators from prospectus requirements when (a) securities are offered solely to qualified investors; (b) the offer of securities is addressed to fewer than 150 natural or legal persons per Member State, other than qualified investors; (c) the denomination per unit of the security amounts to at least EUR 100,000; (d) the offer of securities is addressed to investors who acquire a consideration of at least EUR 100,000 each. These circumstances are unlikely to take place in the context of ICOs, which tend to gather a large number of participants that contribute with small amounts of funds.
As mentioned above, token sales often take place in very early stages of the project and in absence of intermediaries (such as registered Credit Rating Agencies 60 ) that can verify the suitability of the issuer. This increases the possibility of scams and unsuccessful business initiatives. Hence, the rules established by the Prospectus Directive and Regulation are suitable for the cryptoassets industry, where the need to tackle information asymmetries is real.
The need for crypto-assets' public sales to be accompanied by detailed and transparent information is demonstrated by the established practice of drafting white papers. The white paper is a document published on the projects' website which normally contains basic information on the issuer, the structure of the token offer (initial price; amount of offered tokens; etc.), the implementation road map of the project and some technological details.
White papers are generally free in form and content, and subject merely to the scrutiny of retail investors. The Prospectus Regulation, on the contrary, provides for highly standardized formats of prospectus and summary documents. Since, as of today, no specific schedule is provided for the public offer of crypto-assets, ESMA advises to use prospectus schedules on a flexible manner and exploiting the concept of 'adapted information'. 61 For instance, if an ICO is considered to substantially resemble an IPO, the issuer could be required to comply with the information requirements that are set out for equity securities. Moreover, the disclosure of the code underlying the crypto-asset in question could become mandatory for prospectus purposes. 62 Notwithstanding the formal applicability of the law, however, the enforcement of prospectus requirements on blockchain-based ventures faces several challenges. The violation of prospectus requirements is the basis upon which the Italian financial supervisory authority, CONSOB, has recently ordered the suspension of two public offers of tokens -which the authority qualified as, de facto, 'financial instruments' -to Italian investors. 63 The case revealed important enforcement drawbacks as (a) the infringement has been detected solely on the basis of private reporting; and (b) the suspension of the order has been executed due to the cooperation of the Internet Service Provider (in this case, Facebook), which agreed on shutting down the web-page where the token sale was addressed to Italian investors.

Book-entry forms, book-keeping and record-keeping requirements
Business providing services for crypto-assets' storage and transaction shall also be subject to bookentry form requirements, rules on safekeeping and record-keeping of ownership and rights attached. For instance, issuers of crypto-assets could -if the digital asset in question qualifies as a security and is traded on a trading venue -be obliged to ensure that such securities are represented in book-entry form with authorised Central Securities Depositories (CSDs), as defined under Article 2(1) of the Central Securities Depositories Regulation. The applicability of rules on safekeeping and record-keeping of ownership of securities is, however, unclear in the context of crypto-assets. First, Regulatory Technical Standards 64 used for reporting and recordkeeping obligations are based on identifiers and classifications that do not capture crypto-assets; hence they will likely need to be adapted to such new instruments. 65 Secondly, there is no EU-wide definition of what constitute safekeeping and record-keeping activities, and the related rules apply to a variety of actors such as custodian banks, registrars, notaries, depositaries or CSDs. And finally, it is not clear what constitutes safekeeping in the specific context of crypto-assets. The ESMA is of the opinion that holding private keys on behalf of clients might be regarded as safekeeping activity, triggering the applicability of related rules. However, further clarification is necessary as the control of private keys can be shared among multiple actors, such as in the case of 'multisignature wallets' where more than one key is needed for transactions' validation.
In a recent guidance, the US Financial Crimes Enforcement Network (FinCEN) has clarified the applicability of the Bank Secrecy Act (BSA) obligations -which include, among others, recordkeeping, recording and transaction monitoring-to business models that involve money transmissions in 'convertible virtual currencies'. 66 Examining a number of exemplary business models, the document highlights that 'P2P exchangers are required to comply with the BSA obligations that apply to money transmitters, including registering with FinCEN as an MSB [money service business] and complying with AML program, recordkeeping, and reporting requirements'.
With regard to wallet providers, the analysis distinguishes between 'hosted' wallets -whereas funds are controlled by a third-party service provider -and 'unhosted' wallets -where users themselves control the funds. While hosted wallet providers must comply with AML and monitoring obligations that apply to money transmitters, unhosted wallet providers are generally exempted from such rules. The document also considers the case of 'multiple-signature wallet providers', which typically 'maintain in their possession one key for additional validation, while the wallet owner maintains the other private key locally'. 67 Also in this case, the key distinction is between hosted and unhosted wallet, which determines the providers' control over the stored value: 'If the multiple-signature wallet provider restricts its role to creating un-hosted wallets that require adding a second authorization key to the wallet owner's private key in order to validate and complete transactions, the provider is not a money transmitter because it does not accept and transmit value. On the other hand, if the person combines the services of a multiple-signature wallet provider and a hosted wallet provider, that person will then qualify as a money transmitter'. 68 The FinCEN guidance suggest the importance of looking at the actual technical capabilities and level of control exercised by the service provider in order to attribute the appropriate degree or type of legal responsibility. In line with this criteria, the applicability of book-entry forms, bookkeeping and record-keeping requirements could be excluded for those actors that do not store transactions in privately-controlled servers or do not manage users' private keys. More in general, to define which rules should govern the operations and technical procedures of financial operators, it seems fundamental to look at the technical infrastructure that underpins transactions and the ways in which it shapes the interactions between the involved parties. The attribution to users of greater control over funds and the public accessibility of blockchain's transactions' records might make some of the rules provided for book-entry forms, book-keeping and record-keeping redundant.

Legal framework on crowdfunding
Within the EU legal framework, crowdfunding is an activity covered by specific rules -currently under reform from the part of the European Commission. Crowdfunding is defined by ESMA as 'a means of raising finance for projects from 'the crowd' often by means of an internet-based platform through which project owners 'pitch' their idea to potential backers, who are typically not professional investors'. 69 Based on such definition, ICOs and token sales can, in many cases, be qualified as a form crowdfunding.
As of today, the rules applicable to crowdfunding vary significantly across Member States. In general, it's possible to distinguish between more traditional and more 'innovative' approaches. Whereas the former ones bring 'financial return crowdfunding' under the scope of banking or 67 financial regulation, the latter deploy bespoke regimes or safe harbours. 70 In general, the dominant approach across the EU is that of establishing, for crowdfunding activities, exemptions from financial markets rules; however, these are not easily applicable because of strict caps limitations. 71 To eliminate differences across the Capital Market Union and foster the development of the crowdfunding emerging industry, the European Commission -as part of its 2018 Fintech Action Plan -has presented a proposal for a regulation on crowdfunding service providers. 72 The proposal has the scope to ease the access to alternative (non-bank) sources of finance, 'such as crowd and peer-to-peer finance ('crowdfunding')' 73 for innovative companies, start-ups and other unlisted firms. In particular, the new rules apply to crowdfunding services which entail a financial return for investors, such as investment and lending-based crowdfunding. 74 Considering the likelihood of Initial Coin Offerings and crypto-assets sales to be deployed in the context of crowdfunding activities, the European Commission should clarify the applicability of the new legal framework -which will also include amendments to MiFID II -to intermediaries involved in blockchain-based peer-to-peer financing. The new regulation, in fact, could provide a coherent supervisory system and a unified licensing regime for blockchain-based crowdfunding initiatives.

Payment tokens
A separated, but interconnected, area of regulation that could apply to blockchain-based cryptoassets -and firms in this area of business -is that pertaining to banking and payment services. The European Banking Authority (EBA) -competent for the supervision and prudential regulation of the European banking sector -has issued, in 2019, an assessment on the potential applicability to crypto-assets of rules governing electronic money and payment service providers. In particular, its recently published 'Report with advice for the European Commission' 75 addresses the question of whether crypto-assets that are used as means of payment may qualify as 'electronic money', falling under the scope of the Electronic Money Directive 2 (EMD2) 76 and of the Payment Services Directive 2 (PSD2). 77 The report responds affirmatively: when crypto-assets are used as a mean of payment, they can qualify as 'electronic money' within the meaning of the EMD2. Such qualification implies that the assets in question are also to be considered 'funds' for the purposes of the PSD2. It follows that firms offering 'payment services' (as listed in Annex I of the PSD2) in crypto-assets fall within the scope of the PSD2. According to this Directive, Member States must ensure that electronic money is issued only by authorized 'electronic money issuers' (Article 10 PSD2) and that these have in place appropriate sources (including an initial capital of at least EUR 350,000 and own a proportionate amount of own funds) and safeguarding measures.
The application of Anti-Money-Laundering rules is also a main concern regarding cryptocurrencies used as mean of payment. Notably, the Anti-Money Laundering Directive 78 has been recently amended as to include virtual currencies-to-fiat exchanges and custodian wallet providers in its scope of application. However, the Financial Action Task Forcec, 79 ESMA 80 and EBA 81 have all underlined that the Directive needs to be further updated as to include a wider spectrum of actors involved in the crypto-assets industry, namely: a) providers of crypto-asset to crypto-asset exchanges; b) providers of financial services for ICOs.
For what concerns institutions (credit institutions and investment firms), payment institutions and electronic money institutions that engage in activities involving crypto assets (such as owning crypto-assets, making-markets, lending against crypto-asset collateral, providing custody or exchange services, etc.), the EBA report highlights the priority of establishing adequate reporting and disclosure requirements. Moreover, it advises the Commission to promote as much as possible 'convergence on the accounting treatment of institutions' exposures to crypto-assets'. The EBA is also conducting a study on the prudential treatment of banks' exposure to/holding of crypto-assets in cooperation with the Basel Committee on Banking Supervision, 82 assessing the need to establish capital and liquidity requirements. In the meantime, the authority is of the advice that policymakers and institutions -both at the EU and at the national level -should adopt a conservative prudential approach in order to mitigate risks arising from exposure to crypto-assets.
Finally, the EBA acknowledges the lack, in most jurisdictions, of specific reporting obligations for crypto-assets activities. Therefore, it announces the development of a 'common monitoring template' that national authorities can provide to institutions for them to report their activities in this domain In the document here analysed, the EBA advances the opinion that existing supervisory powers should suffice to oversight and timely act on possible risks to the financial soundness of the regulated entities. The report, however, has been published before the announcement by Facebook of the upcoming launch of Libra, a new digital currency designed to run on a private blockchain governed by a consortia of e-commerce platforms and payment firms. The proposal of Libra, in fact, has revived discussions -within EU institutions -on the need to fill existing gaps in the regulation of crypto-assets 83 and to assess the related risks, 'in particular with regard to financial stability, monetary policy, data privacy, money laundering, consumer protection, competition and cyber security'. 84

Conclusions
This article presented some of the most relevant legal instruments that apply to crypto-assets and related activities under European financial law, exposing the challenges of enforcing existing rules to fluid, ever-evolving and possibly ephemeral financial applications based on DLTs. Such analysis is useful to identify important policy questions for further research, and to inform the current debate on the need of regulatory intervention at the EU level in this domain.
From a conceptual and methodological point of view, European authorities determine the legal treatment of tokens by including them within general categories -payment, investment and utilitythat are associated with different, specific functions. These three categories, designed to steer crypto-assets toward specific areas of regulation, are to be considered archetypes, whereas existing tokens tend to combine more functions (hybrid tokens) and present fluid characteristics. Therefore, while this classification is important, it does not exempt from the need to adopt a case-by-case approach when evaluating risks and legal provisions that concern crypto-assets.
Crypto-assets that qualify as investment instruments or as electronic money fall under the scope of European financial regulation. Specifically, the requirements for issuing and trading securities apply to tokens with an investment component, while the rules governing e-money and payment service providers are applicable to payment tokens. However, such simplistic scheme presents several downfalls. The attempt to bring crypto-assets investments under existing safeguards and investor protection schemes is justified by concrete risks, but the overview provided in this paper shows that existing requirements do not always fit the features of businesses and start-ups in the blockchain industry -their technical, operational processes, as well as their inherent incentives' systems.
On the one hand, some concepts and requirements need to be better defined and understood in the context of DLTs; for instance, it should be clarified what constitutes 'custody or safekeeping of crypto-assets'. On the other, the application of existing requirements is likely to be hindered by enforcement issues, which arise because of decentralisation, international nature and nonincorporation of entities. Finally, not all tokens can be captured, based on their specific functions, by existing legal regimes. This is the case of crypto-assets that are commonly referred to as utility tokens. In order to fill the legal vacuum, some EU Member States (as of today: Malta, Gibraltar, Lichtenstein and France) have put in place bespoke legal regimes, as to ensure a coherent, comprehensive legal framework for the growing industry. However, a fundamental problem persists: the line between security, payment and utility tokens is blurry. Legal regimes might overlap or succeed each other in different phases of the tokens' lifespan. For this reason, legal uncertainty remains a major issue, as tokens are functional parts of evolving, innovative solutions which can hardly be reduced to pre-existing classes or defined a priori. Beyond these drawbacks in the applicability of existing rules, a normative stance on the regulation of blockchain-based financial application must also take into account the socioeconomic dynamics that shape and are re-shaped by these technologies, checking them against the policy objectives that regulation tries to achieve. The issue of how existing legal requirements and safeguards should be applied within the DLTs ecosystem is primarily a question on the roles of the various actors involved therein. The recent announcement by Facebook of creating its own, privately controlled 'global currency and financial infrastructure that empowers billions of people' 85 is a good reminder of the need to scrutinize the interests and powers that drive the development of blockchain-based solutions.
Notwithstanding its decentralized, open-source roots, the crypto-asset market got quickly populated by a whole new range of intermediaries and financial service providers -that is, exchanges, custodian wallet providers, cryptocurrencies landing platforms, remittances services, investment funds managers -which, due to their business models and organizational/technological arrangements, might not be covered by current legal definitions and/or be able to elude supervisory regimes. With this in mind, the regulation of blockchain-based financial applications must not only be concerned with fighting illicit behaviors, but also with balancing conflicting interests at stake and preventing influential actors from taking advantage of legal loopholes and institutional failures.
The regulatory and technical enforcement challenges posed by DLTs are epitome of a broader ongoing struggle between technological innovation and legal compliance. From the New York's 'BitLicence' and the Chinese ban, to the Maltese ad-hoc legal framework, the regulatory attempts that have been registered so far demonstrate that regulation plays an important role in directing the development of the technology: the practices it enables, its geography and public adoption. Yet, defining a legal framework for emerging blockchain-based financial technologies is not an easy task, as there are multiple, colluding factors to take into consideration.
The principle of technological neutrality imposes to treat 'same businesses with the same rules'. At the same time, however, the appreciation of the (alleged) social and economic potentials of DLTs urges policy-makers (attracted themselves by profit opportunities) to relieve innovative businesses from burdensome legal duties constructed for older kinds of economic actors.
Should financial law requirements be better tailored as to accommodate decentralized business models and peer-to-peer fintech solutions? Why are some states particularly interested in attracting the blockchain industry? Which are the advantages and which are the dangers of blockchain-based, privately managed financial networks? Is a 'regulatory competition' among states -aimed at attracting the industry -potentially beneficial, or could it jeopardise legal safeguards, creating financial stability, market integrity and consumer protection risks? Is legal intervention necessary to protect an adequate level of competition in the provision of financial services within the EU? These are some of the long-term policy questions that legal scholars and European, as well as national law-makers must address to navigate the uncertain terrain of the regulation of cryptoassets. 85. Libra Association, 'White Paper', Libra Association (2020), https://libra.org/en-US/white-paper/.