Security Token Offerings: AML and KYC (2024)

Security Token Offerings (STOs) were created due to high demand for regulatory oversight of Initial Coin Offerings (ICOs), which can be used to scam investors. So what exactly is an STO? How are STOs regulated? And what are the KYC/AML requirements for STOs? Let’s get into the finer details.

What is considered a Security Token Offering (STO)?

STOs are a form of fundraising involving the issuance of digital tokens to investors. In many jurisdictions, tokens issued under STOs are considered a security if they represent the right to any financial gain or claim on the issuer. Tokens usually give holders rights similar to those of ordinary securities (for example, sharing, voting, dividends, etc.)

What is the difference between an ICO and STO?

The processes for launching ICOs and STOs are similar. The main difference is based on the characteristics and functions of the issued tokens. For instance, in an ICO, capital is raised by selling utility tokens, which give owners the right to use the company’s product or service once it is developed. In security token offerings (STOs), companies sell tokenized traditional financial instruments—such as, for example, equity where token holders receive rights to future profits.

*The FATF’s Guidance on virtual assets considers ICOs as VASPs in some cases, while the FCA’s Guidance on cryptoassets considers them e-money services. 

How are STOs regulated? 

Most countries have regulations based on local securities laws. However, some jurisdictions haven’t introduced any regulations yet. 

STO regulations in the United States

Under the Securities Act of 1933, any offer or sale of a security made to US residents must either be registered with the Securities and Exchange Commission (SEC) or meet exemptions. Here are the most common exemptions:

Regulation D

• Rule 504 of Regulation D exempts the offer and sale of up to $10 million of securities in a 12-month period from registration. 

• Rule 506(b) allows the sale of STOs to an unlimited number of accredited investors and up to 35 other purchasers in any 90-calendar-day period. All non-accredited investors, either alone or with a purchaser representative, must be sophisticated—that is, they must have sufficient knowledge and experience in financial and business matters to make them capable of evaluating the merits and risks of the prospective investment. Under this rule, investors must self-verify their accredited status, while issuers should confirm it. 
• Rule 506(c) allows the sale of STOs only to accredited investors. The STO issuer is obliged to conduct a check or take “reasonable steps” to verify that the investors are indeed accredited. This exemption allows unlimited raising of capital.

Except in limited circumstances, purchasers of securities offered pursuant to Rule 504 and Rule 506 receive “restricted” securities, meaning that the securities cannot be sold for at least six months or a year without registering them.

Companies that comply with the requirements of Rule 504 and 506(b) or (c) do not have to register their offering of securities with the SEC, but they must file what is known as a “Form D” electronically with the SEC after they first sell their securities. Form D is a brief notice that includes the names and addresses of the company’s promoters, executive officers, and directors—as well as some details about the offering—but contains little other information about the company.

Regulation S

Regulation S exempts from SEC registration all STO offers and sales that are completed entirely outside the United States and made only to non-US residents. 

Regulation A

According to Regulation A, a public offer or sale of eligible securities shall be exempt from the registration requirements of the Securities Act in the following cases:

• The sum of all cash and other consideration to be received for the securities being offered (“aggregate offering price”) plus the gross proceeds for all securities sold pursuant to other offering statements within the 12 months before the start of and during the current offering of securities (“aggregate sales”) does not exceed $20 million, including not more than $6 million offered by all selling security holders that are affiliates of the issuer (Tier I).
• The sum of the aggregate offering price and aggregate sales does not exceed $75 million, including not more than $22.5 million offered by all selling securityholders that are affiliates of the issuer (Tier II).

Regulation CF

Regulation Crowdfunding (CF) exempts from registration the sale of up to $5 million of securities in a 12-month period. It sets no investment limits for accredited investors. Non-accredited investors are subject to investment limits based on their greater annual income and net worth. Additionally, securities purchased in a crowdfunding transaction generally cannot be resold for one year.

STO regulations in the EU

There are no specific regulations for STOs, however a number of the EU-level regulations may apply to STOs in some cases. For example, the EU Prospectus Regulation applies if STO tokens are characterized as transferable securities under MiFID II (unless certain exceptions apply). The EU Prospectus Regulation sets out the regime for the prospectus that must be published by a company when its securities are offered to the public or are admitted for trading on a regulated market.

All in all, the regulation of STOs across Europe may follow one of the following approaches:

1. Regulation of STOs under the traditional rules applicable to securities. In some cases, this includes specific legislation that facilitates the use of Distributed Ledger Technology (DLT) and may impact STOs (including France, Germany, Italy, Luxembourg, the Netherlands, Romania, Spain, and the UK); 
2. No specific regulatory regime. In such jurisdictions, traditional securities laws are unlikely to apply to STOs without further legislative changes. This includes the Czech Republic, Poland, and Slovakia. In such cases, the regulatory treatment of STOs is based on the local laws governing intangible assets (as in the Czech Republic) or property (as in Slovakia).

The MiCA does not apply to crypto-assets (which qualify as financial instruments within the meaning of the MiFID II), deposits, funds (except if they qualify as e-money tokens), securitization positions, non-life or life insurance products and pension products. By way of example, investment services and ancillary services in relation to securities tokens which qualify as transferable securities under the MiFID II will not be subject to requirements under the MiCA.

STO regulations in Singapore

Regarding the Asia-Pacific region, it’s important to discuss the current regulatory framework in Singapore and Hong Kong. Singapore regulators focus on the following assets:

• A commodity under the Commodity Trading Act (CTA);
• A capital markets product under the Securities and Futures Act (SFA); or
• A digital payment token (DPT) under the Payment Services Act (PSA).

On November 14 2017, MAS first released A Guide to Digital Token Offerings (“Guide”), following its clarification on August 1, 2017. This established that if a digital token constitutes a product regulated under the securities law administered by MAS, the offer or issue of digital tokens must comply with the relevant laws. The Guide was last updated on May 26, 2020. There is no separate definition for security token offerings (STOs) and initial coin offerings (“ICOs”) in the Guide; only the generic terms “digital token offering” are used throughout. 

Digital tokens offered or issued may be regulated by MAS if they are “capital markets products” under the SFA. Capital markets products include any securities, units in a collective investment scheme, derivatives contracts, and spot foreign exchange contracts for purposes of leveraged foreign exchange trading.

According to the Guide, to determine if the digital token falls under “capital markets products”, MAS must examine the structure and characteristics of, including the rights attached to, a digital token in determining if the digital token is a type of capital markets product under the SFA.

A digital token may constitute:

• A share, where it confers or represents ownership interest in a corporation, represents liability of the token holder in the corporation, and represents mutual covenants with other token holders in the corporation inter se;
• A debenture, where it constitutes or evidences the indebtedness of the issuer of the digital token in respect of any money that is or may be lent to the issuer by a token holder;
• A unit in a business trust, where it confers or represents ownership interest in the trust property of a business trust;
• A securities-based derivatives contract, which includes any derivatives contract of which, the underlying thing is a share, debenture or unit in a business trust; or
• A unit in a collective investment scheme (“CIS”), where it represents a right or interest in a CIS, or an option to acquire a right or interest in a CIS.

For offers of digital tokens that constitute securities, securities-based derivatives contracts, or units in a CIS, the same regulatory regimes apply under Part XIII of the SFA. Therefore, offers must be made in or accompanied by a prospectus that is prepared in accordance with the SFA and is registered with MAS (“Prospectus Requirements”).

In addition, if such an offer is made in relation to units in a CIS, the CIS is subject to authorization or recognition requirements. An authorized CIS or a recognized CIS under the SFA must comply with investment restrictions and business conduct requirements (“Authorization/ Recognition Requirements”).

Exemption

Certain offers may nevertheless be exempt from the Prospectus Requirements and,

in the case of units in a CIS, the Authorization/ Recognition Requirements, where,

amongst others:

• The Offer is a small (personal) offer that does not exceed S$5 million (or its equivalent in a foreign currency) within any 12-month period, subject to certain conditions;
• The Offer is a private placement offer made to no more than 50 persons within any 12-month period, subject to certain conditions;
• The Offer is made to institutional investors only; or
•  The Offer is made to accredited investors, subject to certain conditions

Some of the requirements provided by the Guide include:

• Taking appropriate steps to identify, assess and understand money laundering and terrorism financing risks;
•  Developing and implementing policies, procedures and controls 
• Performing enhanced measures where higher ML/TF risks are identified to effectively manage and mitigate those higher risks; and
• Monitoring the implementation of those policies, procedures, and controls (and enhancing them if necessary).

STO regulations in Hong Kong

Hong Kong is a prominent APAC jurisdiction leading the charge in embracing crypto/ blockchain technology—and recent policy directions from the Securities and Futures Commission (SFC) and Hong Kong Monetary Authority (HKMA) show its dedication to providing clear regulations in this industry.

On November 29, 2023, the President of The Hong Kong Securities & Futures Professionals Association, Mr. Chen Zhihua, wrote to the Financial Secretary of Hong Kong in “Opinions on the 2024-25 Budget” suggesting the government consider launching an initial coin offering (ICO) mechanism. 

From a regulatory perspective, the Hong Kong government has been proactive in setting legal framework for the crypto industry. on June 1, 2023, Hong Kong implemented a new licensing regime for VATPs, overseen by the Securities and Futures Commission (SFC). 

For VATPs (for non-security tokens) under the AMLO regime, a handbook and guideline were issued to fill the regulatory gap that existed prior to that:

• The Licensing Handbook for Virtual Asset Trading Platform Operators provides detailed procedures for VATP operators to apply for licenses and comply with ongoing notifications;
• The Guideline on Anti-Money Laundering and Counter-Financing of Terrorism for Licensed Corporations and SFC-licensed Virtual Asset Service Providers sets out AML/CFT requirements and standards for VASPs.

Regulatory framework

The SFC viewed that tokenized securities are fundamentally traditional securities with a tokenization wrapper, hence the existing legal and regulatory requirements governing the traditional securities markets continue to apply to tokenized securities. As such, prospectus and investment public offering regimes will be applied to tokenized securities. 

Archetypes of DLT networks

The SFC highlighted that risks may vary depending on the type of DLT network used, and this should be addressed through the implementation of adequate controls. There are several common archetypes of DLT networks noted by the SFC, which include: 

• Private-permissioned, which is a closed-loop private network characterized by a centralized authority that controls and restricts access to predetermined users, and is typically governed by rules that apply to all users;
• Public-permissioned, which is a public network with a centralized authority that controls and restricts access through authentication, for example; and
• Public-permissionless, which is an open, public network that does not restrict access for privileges and has defining characteristics such as decentralization, pseudonymity and large-scale user base.

The key point to note is that the SFC does not outright reject the use of public permissionless networks—but it pointed out that the heightened cybersecurity risk (practical difficulties recovering their assets or pursuing claims for losses in the event of theft, hacking or other cyberattacks), as well as potentially higher exposures to money laundering and know-your-client issues associated with public permissionless networks.

KYC rules for STOs

As securities/issuers of securities, STOs don’t fall under national AML laws. If dealers and brokers are involved by the STO issuer to market the token sale, they must implement AML measures, such as KYC, as these are AML-regulated entities. 

Know Your Customer (KYC) is the process of identifying and verifying customers. Regarding STOs, this process covers the following:

• Compliance with AML/CTF requirements;
• Knowing whether STO investors are US citizens in order to apply either registration or exemption rules.

Identification of investors

The required information can differ across jurisdictions, but here’s a common baseline for verifying STO investors:

• Full name;
• Date of birth;
• Residential address;
• Government-issued identification number (or another similar unique identifier);
• Citizenship.

To verify an investor’s identity, businesses can use a document issued by an independent and reliable source containing the person’s photo (ID card or a passport).

To verify an investor’s residential address, businesses can use recent utility bills, housing insurance documents, or municipal taxes and bank account statements.

For STO projects, automated verification is the way to go. It reduces onboarding time to a couple of minutes and increases conversion rates (without needing to hire additional employees to control the process).

FAQ

• What is security tokenization?

  STOs are a form of fundraising involving the issuance of digital tokens to investors. In many jurisdictions, tokens issued under STOs are considered a security if they represent the right to any financial gain or claim on the issuer.

• Are security tokens regulated?

  It depends on the country. The majority of countries have regulations based on local securities laws, whereas others haven’t introduced any frameworks (e.g., China).

• What are the regulations for STO?

  Let’s provide examples from the US and the EU. In the US, STOs are regulated by the Securities and Exchange Commission (SEC). Under the Securities Act of 1933, any security offering made to US residents must either be registered with the SEC or be exempted from regulation under the rules of the Act. There are no specific regulations for STOs, however a number of the EU-level regulations may apply to STOs in some cases. For example, the EU Prospectus Regulation applies if STO tokens are characterized as transferable securities under MiFID II (unless certain exceptions apply). The Prospectus Regulation sets out the regime for the prospectus that must be published by a company when its securities are offered to the public or are admitted for trading on a regulated market.

• What is the difference between an ICO and a security token?

  The main difference is based on the characteristics and functions of the issued tokens. For instance, in an ICO, capital is raised by selling utility tokens, which give owners the right to use the company’s product or service once it is developed. In security token offerings (STOs), companies sell tokenized traditional financial instruments—such as equity where token holders receive rights to future profits.