Possible Digital Asset Industry Standards

BY
/
October 19, 2022

This document contains a draft of a set of standards that we as an industry could enact to create clarity and protect customers while waiting for full federal regulatory regimes.  Treat it as an industry norms manual, trying to establish consensus.  This is written by Sam Bankman-Fried, but neither he, nor FTX, feel confident that this structure is exactly correct–it’s just a draft.

Ideally, some industry group would mull over these topics, revise them, and publish what they feel to be an appropriate set of community norms!

And to be clear: nothing here is legal advice, or meant to override any relevant laws.  It’s merely an attempt to create what clarity and protection we can in the meantime.

Hacks and Accountability

Hacks are extremely destructive to the digital asset ecosystem.

They have been all too prevalent and large.  At the same time, the industry has done a decent job of identifying and flagging addresses carrying funds from a security breach, and so even if the funds are gone, the hacker may not actually be able to utilize most of them.

  1. We should formalize this, with major trusted parties adding addresses associated with security breaches to their public list of suspicious addresses. Thus, both centralized and decentralized protocols will be able to promptly freeze out the associated addresses.
  2. Whenever there is a security breach, there is often a negotiation between the hacker and the protocol; often the hacker will offer to return some, but not all, of the funds in return for some sort of immunity.
    1. In theory, such a deal can be healthy: it can protect customers, save companies and protocols, and still reward the parties that identified the vulnerability with a generous bug bounty.
    2. But in practice each negotiation is stressful and contentious for all involved. (We understand that, as a general matter, the victim here is the hacked protocol, and the hacker is not the good actor.)
      1. Among other things, the lines between a bug, a hack, market manipulation, and trading can blur in many of these cases, with the two sides taking very different views of it.
      2. Also, there's no consensus on how much should be returned.
    3. So, I propose a new community standard: the 5-5 standard.
      1. Say that there's a breach, and Alice takes $x from protocol abc. Say that abc has $y of their own reserves on-hand.
      2. First, protect customers. Alice should not get anything until customers are made whole-meaning that if x > y, then at least $x-y must be returned to abc.
        1. E.g. if Alice takes $1m and abc only had $800k of reserves, then Alice has to return at least $200k to make sure that, together with abc's reserves, customers of abc are made whole.
        2. This is the most important part. Customers must be protected above all else.
      3. Second, the only constructive solution here is one in which Alice is working in good faith and fully intends to cooperate and return the bulk of the assets from the beginning. There is no negotiating, or holding out and trying to use this framework as a backup plan.
      4. Assuming (ii) and (iii) are satisfied, Alice has to return at least 95% of the assets.
        1. In particular, Alice is allowed to keep the smaller of {5% of $x} and {$5m}. The rest is returned to abc.
        2. E.g. if Alice takes $1.5mm, she would keep $75k and return $1.425m; if she takes $150m, she keeps $5m and returns $145m.
      5. If Alice follows the 5-5 standard-making customers whole and returning all but min(5% of the amount she took, $5m)--then the min(5%, $5m) she keeps is treated as a (potentially very generous) bug bounty: she didn't in fact harm customers, she returned most of what she took, and helped alert abc-albeit very publicly-to a bug.
      6. By default, unless there are unusual logistics, Alice has 24 hours to return what she is supposed to according to the 5-5 standard.
        1. So, to be clear, Alice cannot hold out, and then treat 5-5 as a fallback option; it has to be her intention from the beginning to return the assets.
      7. If Alice does not follow the 5-5 standard-i.e. if she keeps more than her 'fair share'--then she is treated as a 'bad actor' by the community.
      8. Note, to be absolutely clear, that nothing here is a legal or regulatory statement; this is just a proposal for a crypto community norm.
    4. The key thing here is:
      1. Create a clear consensus standard to follow, so that it's unambiguous what the duty of bug exploiters is
      2. Make sure customers are protected
      3. Make sure there's enough incentive for those who find security holes in protocols to follow the standard that they will in fact do so
    5. Why 5-5?
      1. I'm not sure what the right numbers are and am very open to other choices!
      2. But: if the 5-5 standard had been followed, historically, it would have reduced the impact of hacks by more than 98%.
      3. That's a huge improvement-and my instinct is that it's well worth accepting the cost of the 2% in return for solving the vast majority of the problem.
      4. I think that creating a standard that could drastically reduce the impact of security breaches would be immensely important for the industry.
    6. I feel very uncertain what the right standard to have is, and am very open to suggestions on this front!

Asset listing; also, what is a security?

At least as of now, one central question that actors in the industry must sometimes answer is whether a particular asset is or is not a security.

In general, BTC and ETH are not considered securities; many long-tail tokens acting as investment contracts are securities.  There are a number which are unclear, however.

Eventually, there may be legislative, regulatory, or judicial clarity on this question.  Until then, this is how FTX, at least, plans to proceed. To be clear, this is only for listings on FTX US; this is not meant to make any decisions for the industry more broadly.

  1. First, our legal team will do an analysis of the asset according to the Howey Test and other relevant case law and guidance. If that analysis finds it to be a security, FTX US will treat it as such.
  2. If (1) does not find it to be a security, we will generally treat it as a non-security commodity, unless the asset is found by the SEC and/or an appropriate court of jurisdiction to be a security.
  3. If we do find an asset to potentially be a security, we will not list it in the US unless/until there is a process for properly registering it. Again this is just our determination and just for FTX US; other platforms will make their own decisions.

For all assets listed on our federally regulated platforms, we intend to publish an informal registration-statement-like overview of the asset.  See here for a draft of such a statement for bitcoin.

Ideally, we’d end up in a place as an industry where being a security is not a bad thing: where there are clear processes for registering digital asset securities which protect customers while allowing for innovation.  We remain excited to work constructively with regulators to develop and act within a regulatory framework for tokens that are securities.

Tokenized equities

I think that, eventually, blockchain technology has a lot of potential to improve traditional market infrastructure.

On January 28th, 2021, retail investors bought large amounts of certain equities–e.g. AMC and GME–on a number of mobile brokers, notability including Robinhood.

As prices of those stocks rose, the investors made large amounts of money, at least marked to market.  Perversely, this posed a problem for the markets.

Stocks take two days to settle (and dollars can take months, especially for ACH and credit cards), with some amount of uncertainty and risk that the other side will fail to deliver in the intervening period.  This means that, on January 28th, retail investors had billions of dollars of unsettled gains.

The typical retail stock transaction goes through a huge number of entities: for instance

  1. Mobile broker A
  2. A 's securities clearing firm
  3. A 's bank
  4. PFOF firm B
  5. B 's clearing firm
  6. B 's bank
  7. DTCC
  8. Darkpool C
  9. C 's clearing firm
  10. C 's bank
  11. DTCC, again
  12. PFOF firm D
  13. D 's clearing firm
  14. D 's bank
  15. DTCC, again
  16. Securities exchange
  17. DTCC, once more
  18. …and then more for the other side

That’s over 15 entities for a single investment!

And every single one of them incurs some amount of settlement risk.  So if retail makes billions of dollars in a day, then you have tens of entities, each of which potentially need billions of dollars of spare capital, in case any one of the many entities in the chain later fails to deliver.

Once the investor’s profit exceeded the regulatory capital of the less well capitalized brokers, those traders were shut down, and in some cases liquidated, to ensure that they didn’t make any more money–money their brokers would not have been able to guarantee. There’s a limit on how much money retail can make in the current equities market structure!

But on January 28th, digital assets kept trading liquidity. Why?

Because if Alice wants to buy SOL from Bob in return for USDC, Alice sends the USDC on-chain to Bob, Bob sends back the SOL, and a few seconds later–with just ~$0.0005 in fees–the trade has fully settled, with no outstanding settlement uncertainty or risk, and so essentially no regulatory capital necessary.

And if two platforms had a transfer or transaction between them, they could just send the appropriate asset on the blockchain to the other one, once again clearing up settlement risk in seconds.

All of which is to say: I think that tokenizing stocks could help simplify securities settlement, providing a stronger and more equitable market structure for retail.

What’s blocking this now?  I think the biggest thing is regulatory clarity: what would clearing, custody, registration, issuance, disclosures, etc. look like for e.g. tokenized AMZN?

Customer Protections, Disclosures, and Suitability

The clearest way to help protect investors is to provide transparency and prevent scams.

Investors should be given clear, comprehensible information describing the asset they are considering, and regulators should crack down on any that misrepresent or make materially misleading marketing claims.

I also think that, as a default, systems should not meaningfully run on credit–especially for retail.  Retail investors should generally not be able to lose more than they have deposited to a platform, and any credit extended by a platform should be given extreme scrutiny if its failure could result in socializing losses among other innocent investors on the platform.  This is one of the core planks of the clearing model we propose in our DCO amendment.

It’s also worth noting that this is one of the strengths of DeFi: even during one of the largest crashes in crypto history, truly decentralized platforms didn’t suffer losses–because rather than rely on vague credit checks, they verified the assets used for margin by requiring them as collateral.

If you have sufficient disclosures and transparency, are not exposing investors to more risk than what they deposit, and are regulating away scams, the remaining core piece of customer protection is suitability.  In other words, who is an appropriate user for a particular product?

Centralized, regulated digital asset venues–like FTX–are going to end up under various disclosure/transparency regimes, potentially including suitability checks in some cases.

There are many ways that one could try to determine suitability, which generally trade off economic freedom against risk.

There is no single perfect procedure to determine suitability, but as a general matter, I believe that knowledge-based tests are the appropriate method, and significantly better for customers than wealth-based standards.

Here are various methods one could use to determine who can access a particular product:

  1. Only investors whose net worth is at least $x can access the product
  2. Only investors whose income is at least $y can access the product
  3. There is a test based on the mechanics of the platform and product; only investors who pass that test can access the product
  4. Anyone can access any product so long as the product is not scam
  5. The platform should choose at its own discretion who can access its product

The problem with (a) and (b) is two-fold.  First, they can act to reinforce class barriers: only the wealthy can get real access to the financial ecosystem, and so only those who already have lots of money are allowed to make and grow money, exacerbating economic, racial, and rural disparities.  Second, it’s not clear that it in fact does a great job of protecting investors.  I’ve found the users who have had to fight through the most in their life to achieve economic stability tend to be among the most informed, sophisticated, and knowledgeable users; claiming that excluding the poor from having financial freedom is effective customer protection would imply things I very much do not believe.

The problem with (d) is that you could see people taken advantage of who do not understand the platform they’re using, taking risks they’re unaware of and are not willing to take.

(e) could mean any number of things, but is generally an invitation for bias and exclusion, creating ivory towers of financial access.

As far as I can tell, (c) is the most appropriate.  Rather than making assumptions about economically disadvantaged populations or condescending to any particular groups, it drives straight at what is in fact the largest worry: that people will use a product they do not understand, taking a risk they are not willing to take.  In general America is built on a foundation of freedom and individual choice, and that’s true economically and financially as well as verbally.  But that doesn’t allow platforms to take advantage of customers with misleading, deceptive, or sloppy products.  And so I support implementing knowledge-based quizzes–rather than asset-based ones–to determine product suitability.

Anyway–in order to demonstrate what we would plan to launch FTX US Derivatives with, were our amendment to be approved, we’ve put together a site that contains a comprehensive set of customer protections–from disclosures to explainers to knowledge based quizzes.

Sanctions, allowlists, and blocklists

In order for commerce to work, it’s crucial that validators and smart contracts are free, permissionless, and decentralized.

There are many cases, though, where many asset senders and centralized intermediaries will want or need to maintain and/or respect various address blocks: either because of hacks, scams, or sanctions.

I fundamentally believe that blocklists – not allowlists – are the correct approach to sanctions compliance on blockchain environments.

The possible options for those sending assets or acting as centralized intermediaries are to either:

  1. Allow all transfers
  2. Ban transfers between sanctioned parties (i.e., declare these transfers illegal and hold violators liable) but otherwise presumptively allow other peer to peer transfers
  3. Ban all transfers unless specifically allowlisted by an institution

Allowing all transfers opens up the door to significant financial crimes, and banning all transfers unless allowlisted grinds commerce and innovation to a halt and freezes out the economically disadvantaged.  Maintaining a blocklist is a good balance: prohibiting illegal transfers and freezing funds associated with financial crimes while otherwise allowing commerce.

It’s worth emphasizing this: all of commerce breaks down if you require a allowlist to transact.  Want to buy a bagel at a corner store?  Better have your passport, proof of address, phone, email, and SSN ready!  Oh, and I sure hope 7-11 likes being a broker-dealer.  (Imagine what would happen to the underbanked if buying a bagel required a passport.)  Maintaining the presumptive freedom of peer to peer transfers and decentralized blockchains (unless there is specific evidence of a scam, illicit finance, etc.) is absolutely necessary.

At the same time, the largest gap in sanctions compliance right now is timing–what happens if funds from illicit financial activities are moved after the activities are discovered but before that’s communicated to all of the platforms?

What does this mean, in practice*?  (*To clarify, “in practice” here means “how things should work in a perfect and logical word”).  

  1. To make it quicker and easier for those custodying funds to access various potentially blocklists, including OFAC’s sanctions lists:
    1. There should be an on-chain list of the sanctioned addresses, updated in real time, maintained either by OFAC or by a responsible actor.
      1. Treasury should make it clear and public which addresses stores the sanctions list, and how to parse it.
    2. Then, centralized applications can query, in real time, the list of sanctioned addresses, to avoid transferring funds to or accepting funds from those addresses.
    3. Note that if Alice is sanctioned and Alice sends $1 to Bob, that doesn’t necessarily implicate Bob: Alice may have done so unilaterally.
    4. There should also be a way to cure your address if flagged funds are unilaterally sent to it:
      1. If you receive funds from a sanctioned address, it might not have been your decision; sending funds is unilateral
      2. Thus there should be a ‘frozen funds’ address–possibly a burn, possibly maintained by OFAC–that you can send tainted funds to if you receive them, curing your address.
      3. Even with tainted funds, your address should not be flagged unless you attempt to forward on the sanctioned assets to another address. In other words: sending sanctioned funds is sanctioned; receiving them should come with an opportunity to cure.
  2. In addition, trusted actors should maintain their own on-chain list of addresses that are suspected to be associated with financial crimes. There should be a standardized format for this.
    1. To be clear, these are not the same as sanctioned addresses; it’s a much lower bar, and there should not be a legal prohibition on transacting with these addresses.
    2. However, many people may find it useful to reference these lists.
    3. This can also help with inter-exchange cooperation.
  3. This will help sanctions compliance, and ensure that we as an industry can effectively maintain a blocklist while still allowing for general economic freedom.

Finally: we should attempt to implement some system like the above to help us respond quickly to incidents.  If this were updated quickly and immediately on-chain, we could make reponses and asset freezing effectively instantaneous.

DeFi

DeFi is crucial to a lot of the innovation that digital assets could ultimately bring.  It’s also one of the trickier things to think about in the context of current regulatory frameworks.

But there’s never going to be a perfect answer; all we can do is put one foot in front of the other.  So here’s a proposal for a rough regulatory heuristic to use with DeFi.

First of all: maintaining free, decentralized validators and smart contracts is absolutely crucial for DeFi–and commerce more generally–being able to function.

On the one hand, you have actions that feel more like free speech, expression, and mathematical constructs: those that are purely writing code, deploying it to decentralized blockchains, or validating blocks according to the rules of the chain.  Decentralized code as speech.

On the other hand, you have constructs that look much more like centralized financial services: an American actively hosting a centralized website that markets and actively facilitates US retail investors to access DeFi protocols, or actively marketing products.  Centralized GUIs and marketing as regulated financial activities.

What this would mean:

  1. You don't need a financial license to upload code to the blockchain.
    1. So smart contracts should remain permissionless and free
  2. Similarly, validators have a core duty to correctly validate blocks-not to judge or police them
    1. Validators should remain permissionless and free
  3. However, the following activities would potentially require some license/registration/etc.:
    1. An American hosting a website on e.g. AWS that actively provides a front-end that encourages and facilitates US retail users to trade on decentralized protocols
    2. Actively marketing DeFi products to US retail investors

Some examples:

  1. You could write the code for a DEX and upload to a blockchain without a license
  2. You could trade on a DEX without a license
    1. So long as you are doing so purely with your own money and not managing a fund
  3. You can send transfers peer to peer without a license; otherwise there may be already existing applicable managed fund regulation
    1. Although individuals and centralized custodial intermediaries would still have to avoid sending it to sanctioned addresses
  4. Validators themselves purely have the goal of confirming that proposed blocks are in accordance with the rules of the blockchain, not separately parsing and policing regulatory content
  5. If you host a website aimed at facilitating and encouraging US retail to connect to and trade on a DEX, this may end up falling under something like a broker-dealer/FCM/etc.
    1. You may also potentially have KYC obligations
    2. To be clear, this is separate from generalized tooling for on-chain parsing and interfacing, e.g. etherscan.io
  6. If you actively market a product to US retail investors, some registration may be required-either from you, or from the product you are marketing
    1. To be clear this may already the case under various regulations
  7. DAOs with purely on-chain activity do not require licenses–similar to individuals
  8. It is extremely important that on-chain code and DeFi remain free and open, and uncensored.

This is a compromise, and it’s not perfect by any strongly held position.  But I think it’s reasonable.  It allows core technological innovation to continue and people to express their freedom, while requiring licensure for activities that market to retail or resemble traditional financial brokerages, creating a layer for regulators to enforce consumer protection and market integrity.

I’m very open to suggestions on this front!  There are many variants that one could have.  But above all else: figuring out how and where DeFi and things tangentially related to DeFi do and don’t fit into regulatory contexts is a hard problem, and one on which there is not yet firmly settled thought.  We should be careful about locking in decisions absent working out a sound and responsible basis for doing so.

Stablecoins

See here for a proposed set of community standards on stablecoins, at least until there is an explicit regulatory framework for them.

Stablecoins present a huge opportunity to modernize and democratize payments, both domestically and abroad.  We should adopt regulatory policy that supports them, while protecting against any systemic risk.

In short, any stablecoin holding itself out to be stable relative to the US Dollar should be backed by at least as many US Dollars (or federal government issued treasury notes/bills) as there are stablecoin tokens in circulation, and should maintain up to date and public information and audits attesting as such.

In addition, there should be KYC of the traders participating in the on-ramp/off-ramp process (i.e., KYC of the individuals and entities creating and redeeming the stablecoin).  This is very easy to get correct - and we think there are a number of suitable regulatory frameworks under which a stablecoin program may be pursued - provided the operating entity maintains the relevant information on assets and has and enforces the proper KYC requirements.  To be clear, this does not mean that passports and social security numbers are necessary to buy a bagel from 7-11–but issuances and redemptions of stablecoins should be BSA-level KYCed activity.

Paperclip file attachment icon
Possible Digital Asset Industry Standards