Substance over form: a quick note on the SEC’s first NFT Settlement

From ZachXBT this morning:

I cannot recall something which was labeled as an NFT being treated as a security by American regulators previously. According to the SEC, this case is the first. With that in mind, it’s important to revisit first principles on selling crypto-critters in the United States. One thing which I see a lot of, all the time, is when developers start out with something which is unregulated and gradually mission-creep their way into something regulated.

Given how powerful cryptocurrency tech is, these mistakes are shockingly easy to make. This is because cryptocurrency, particularly the smart contract variety, is capable of “captur[ing] unlimited richness in flows of actions and events; computer scientists might prefer to recognise this as a state machine with money.”

A state machine with money, of course, is capable of performing virtually any function normally performed by the financial technology stack because it automates and secures the “money” portion of it programmatically in a manner which in TradFi needs to be secured by a human authenticator. Ian Grigg’s essay Financial Cryptography in 7 Layers – which predates crypto-as-we-know-it by nine years and Ethereum-style smart contracts by fifteen – neatly disaggregates the wet-code concepts which are factored by a human authenticator which most crypto developers, frequently unknowingly, attempt to program into their smart contract applications, compressed into a single layer as they try to implement a particular specification.

“Legal,” of course, pervades all of these layers, and we get a chance to see projects as they evolve. To paraphrase Rousseau, “most crypto projects are born free, yet everywhere they are in chains.” Designing a basic protocol application and the act of hashing a proof-of-work genesis block is not, generally speaking, a regulated activity anywhere in the world. It is the stuff protocol engineers do afterwards in relation to that genesis event, such incentives that they create to bring in new users – items 5-7 on the 7 layer framework – which, generally speaking, creates the liabilities.

So last week, for example, we saw the Tornado Cash indictment come down. There were howls of dissent from much of the crypto community over this due to the perception that the U.S. government was seeking to censor code and suppress open-source developers. Without prejudice to the constitutional presumption of innocence to which all criminal defendants are rightly entitled, having read the indictment, it seems that there was rather a lot of post-instantiation management of the Tornado Cash platform which, had I been a developer, the devs might have chosen to think better of and avoid. Leaving protocols published on GitHub without choosing to then embark on associated altcoin launches or management of the protocol as a going concern might be a recipe for protocol failure and obsolescence. It’s also a way to hew much more closely to the First Amendment and cases like Bernstein v. United States.

Similarly, one thing I see often enough, and increasingly in the wake of the Gensler SEC’s crackdown on more “traditional” ICO products, is the recharacterization of certain crypto-asset securities as “non fungible tokens” or NFTs. Impact Theory basically issued “NFTs” in three tranches:

In relation to which the SEC assessed as follows:

In advance of the offering, Impact Theory publicly stated that it would deliver “tremendous value” to KeyNFT purchasers. Impact Theory also stated that it would use the offering proceeds for “development,” “bringing on more team,” and “creating more projects.” Consistent with the foregoing, Impact Theory collected the proceeds from the KeyNFT sales in a single crypto asset wallet and used a portion of those proceeds to pay certain vendors providing services related to Impact Theory’s business.

It bears reminding that the Howey test “embodies a flexible, rather than static, principle” which is designed to look towards the substance of the transaction and not how it is labeled when determining whether something is or isn’t a security. The NFT space, which is relatively new, is no different – if a non-fungible token is sold in exchange for an investment of money in a common enterprise, with an expectation of profit arising from the efforts of a promoter or a third party, it is just as liable to be a security as a fungible token which sold in the same manner and with the same expectations.

Mind you, Impact Theory seems, at least from the settlement, to have been very far on the wrong side of the line, a dissent from Commissioners Pierce and Uyeda notwithstanding – “It’s like investing 10k with a 300k upside, for a small risk,” went one statement from the Discord; “Everyone here is an early adopter! Buying a founders [sic] key is Like [sic] investing in Disney, Call of Duty, and YouTube all at once,” went another; “you are investing in [the Impact Theory] team and regarding this is an opportunity that has never been there its [sic] like handing $20 to Mark Zuckerberg in his dorm room,” went another – such that if the sellers were selling a literal rock attached to those promises, to say nothing of an NFT, I could make out the case that they were selling securities. But there is no reason why this same regulatory mistake is also one which could be fairly easily, and entirely honestly, committed by inexperienced founders or otherwise legitimate projects who are stacking on additional functionality to please their users.

Just as an unstoppable blockchain app ignores the law, the unstoppable law ignores the blockchain. Labels and choice of data structures are part of the regulatory puzzle but are not dispositive. Substance is.

Infinitely expressive “state machines with money” tempt developers to build things that people will want to buy, and make it trivially easy to do so. But writing the code for the machine is one thing which happens fairly low down on the conceptual 7-layer stack; operating the machine as a going concern is quite another and lives at the top of the stack, where the laws are most active too. Understanding that different regulatory regimes apply to different layers is a basic prerequisite to providing good legal advice in this area. Just as a token labelled a “utility token” has been assessed as problematic by American regulators, so too can a token labelled a “non-fungible token,” even if the data structure utilized by that token does in fact make it non-fungible. Proceed accordingly.