“The prices of many cryptocurrencies have exhibited the classic hallmarks of bubbles including new paradigm justifications, broadening retail enthusiasm and extrapolative price expectations reliant in part on finding the greater fool.” Mark Carney, March 2018.

Cryptocurrencies have grabbed the attention of both regulators and investors. The Bitcoin, the first and now most traded cryptocurrency, was created in 2008; there are now around 1590 cryptocurrencies exchangeable on the market1 . Similarly, in 2017, 210 Initial Coin Offerings (ICOs) were completed and raised around $3 billion, compared to $95 million raised through 43 ICOs in 20162.

Despite this rapid growth, the market for cryptocurrencies is still small. On a daily basis, the global volume of transactions in bitcoin, the most traded cryptocurrency, represents less than 0.1% of total retail payments in the euro area3 . This is partly because most cryptocurrency networks suffer from scalability constraints and are currently unable to support higher transaction volumes4 .

Nevertheless, the growing interest in and investment by consumers and firms in cryptocurrencies and tokens issued through ICOs as a new form of asset class usually outside the regulatory perimeter have caught regulators’ attention over the last few months.

Our analysis looks at what makes cryptocurrencies and ICOs different from traditional currencies and public offerings, and how the regulators have responded to these activities so far. We explain some of the key principles and regulatory concerns in relation to cryptocurrencies and ICOs and where further regulatory scrutiny is expected. It is particularly relevant to unregulated firms offering cryptocurrencies, but regulated firms which are exploring how to use or participate in the cryptocurrency ecosystem may also find the issues raised in this article useful.


For the purpose of this blog, we define a cryptocurrency as a digital representation of value, designed to work as a medium of exchange. It is not issued by any central authority such as a central bank, and typically uses distributed ledger technology5 (DLT) to control the issuance of new units and record each transaction.

In an ICO, a company, usually in early development stage, provides a “token” or “coin” denominated in a cryptocurrency to investors in exchange for their capital investment. The business models of firms using ICOs are diverse and so is the basis on which the tokens are valued. Tokens may constitute a share in the company, a voucher for investors to benefit from the firm’s project or product in the future, or may not give any right or value at all. This diversity has made it challenging to apply the existing regulatory framework to all ICOs, and regulators have instead decided to regulate them on a case by case basis6 . This approach was highlighted in FINMA’s recent guidelines on ICOs which is one of the first pieces of regulatory guidance specific to ICOs7 .

More recently, cryptocurrency derivatives such as futures and contracts for differences have been developed by large trading firms and exchanges, including Nasdaq Inc. and Cboe Global Markets Inc8 . In contrast with cryptocurrencies and ICOs, there has been broader consensus from regulators about the need to consider cryptocurrency derivatives as financial instruments and therefore to bring them within the regulatory perimeter9 .

Cryptocurrencies and ICOs: what differentiates them from traditional investments and why it matters

Cryptocurrencies are not equivalent to fiat currencies because they do not meet the three defining criteria of money, i.e. being a store of value, a unit of account and a medium of exchange10 . Regulators prefer the term “crypto-assets” to describe cryptocurrencies used for investment purposes, and traded on exchanges operating outside the regulatory perimeter.

But cryptocurrencies are also technically different from fiat currencies.

First, cryptocurrencies are not backed by a central authority, but are created and distributed through a decentralised network of computers (i.e. distributed ledgers). They do not have an intrinsic value linked to tangible assets, which can make their value very volatile over time. In the case of ICOs, tokens are not legally backed by any authority11 . The transfer of tokens’ ownership is recorded on the distributed ledger and can be checked by all participants of the ledger.

Cryptocurrencies also differ from fiat currencies in that, in the vast majority of cryptocurrency networks, transactions are completely anonymous. Users of a distributed ledger do not identify themselves with a name but with a combination of public and private keys12. Neither the private nor the public key are associated with a real person’s name or personal data. Moreover, DLTs make it impossible to reverse a transaction once it has been validated by all the computers in the network and recorded in the ledger.

Blurring the limits of the regulatory perimeter

As the FCA recently pointed out, the packaging and use of cryptocurrencies as investments could pose significant risks to market integrity and customer protection, therefore increasing the necessity of bringing these activities into the regulatory perimeter13 .

EU and UK regulators have highlighted ICOs and cryptocurrencies as one of their priorities for the next few years14 . Their focus will be dual: first, assessing whether cryptocurrencies and tokens fall within the definition of traditional financial instruments, and should be subject to the existing regulatory framework; second, evaluating the risks that these activities present for consumer protection and market integrity as they become more “mainstream”.

Some of the risks highlighted by regulators are set out below:

  • Money laundering: the anonymity of cryptocurrency and token transactions has raised concerns about their use for illegal activities such as money laundering and tax evasion. In the EU, Member States agreed in December 2017 to include cryptocurrencies within the scope of the Fifth Anti-Money Laundering Directive, which was adopted by the EU Parliament in April 201815 . This will require cryptocurrency exchange platforms and custodian wallet providers16 to be registered, apply customer due diligence and Know Your Customer controls when on-boarding new investors. The revised Directive should come into force in the course of 2019. In the UK, the FCA recently highlighted the good practices it expects from banks offering services to clients who derive revenues or business activities from cryptocurrency-based activities17 .
  • Cyber risks and financial stability: as recent attacks on cryptocurrency exchanges showed, the rising number of users and the high value of transactions make these exchanges an attractive target for cyber attacks18 . The potential contagion of risks to the financial system is likely to attract regulators’ attention, especially as incumbents start increasing their exposure to cryptocurrency exchanges by providing bank accounts or loans to cryptocurrency platforms.
  • Information and transparency: the widespread advertising of cryptocurrencies and ICOs has encouraged a range of consumers to invest in them, without necessarily understanding or being notified of the risks. EU and UK regulators issued warnings to inform investors of the need to check their investments’ viability and protect them against “scams”19 . Additionally, some of the large tech firms have banned adverts for cryptocurrencies and ICOs on their websites20 . This focus on the education and awareness of investors about the risks posed by cryptocurrencies is likely to be a greater priority for regulators in the future.

Nevertheless, regulators are aware of the opportunities that cryptocurrencies can present for broader policy objectives. If appropriately supervised, ICOs could be an alternative way for small firms to raise capital or for bigger firms to raise smaller sums of money at a lower cost.

A flexible regulatory framework will be necessary to keep pace with the rapid developments in cryptocurrencies and ICOs while addressing their risks. In the short term, regulators have to consider how the existing regulatory framework applies to ICOs and cryptocurrencies or the platforms on which they are exchanged or issued. Both EU and UK regulators have committed to doing so by the end of the year21 . The longer-term challenge for regulators will be, as the risks of cryptocurrencies and ICOs are better understood and identified, to develop relevant policies in a timely way which balances their consumer protection and market integrity objectives with fostering innovation and competition in the market.

Implications for firms

In addition to the upcoming anti-money laundering requirements at the EU level, it seems likely that more stringent oversight will come from the regulators, although the pace at which this will happen is uncertain.

Currently unregulated cryptocurrency firms could benefit from preparing for this enhanced regulatory control. First, aligning their practices to the existing requirements applicable to regulated firms could improve their resilience and help demonstrate the seriousness of their intentions to a broad range of stakeholders, which could in turn help them scale up and reach out to more investors and customers. Second, the crystallisation of a major problem or risk to customers and/or markets will undoubtedly prompt rapid regulatory action, and those cryptocurrency firms which will have already aligned themselves voluntarily with the relevant requirements for regulated firms will be well placed to respond more effectively.

Demonstrating robustness in the underlying business model and governance and adhering to the principles set out in regulation for comparable assets would enable firms to establish a more sustainable cryptocurrency or ICO programme. Relevant considerations include:

  • Effective systems, processes and governance frameworks - cryptocurrency and ICO firms should have robust operational resilience (specifically to cyber risks), governance and control frameworks. The protection and governance of investors’ private keys and personal data are likely to be areas of specific focus. For firms facilitating a trading service in cryptocurrency derivatives, safeguarding the asset from being hacked and stolen will be a key requirement.
  • Accountability and auditability - firms should focus on developing sound reporting and monitoring capabilities, specifically in relation to tracking and documenting the ownership of cryptocurrencies and ICO tokens.
  • Transparency of information provided to investors - assuming regulators work on applying the existing regulatory framework to cryptocurrencies and ICOs, where relevant, firms may be obliged to provide Key Information Documents (KID) and prospectuses to ensure that investors are aware of the risks they are taking. Firms could prepare for regulatory scrutiny by aligning the information they provide to investors for cryptocurrency-based investment with the KID and prospectuses currently required for comparable assets, denominated in fiat currencies, which are currently regulated. The implementation of procedures for dealing with investors’ questions and complaints will also be important.
  • Applicability of universal regulation – even if a firm is unregulated there are specific pieces of regulation such as GDPR and compliance with sanction regimes that will currently apply.
  • Cryptocurrency exchanges – these firms are likely to be the first to be brought within the regulatory perimeter. Cryptocurrency exchanges have been likened to exchanges of traditional traded securities and there is a call to hold them to the same regulatory standards22 .


Regulators will continue assessing the opportunities of cryptocurrencies and ICOs against the risks they can pose to financial stability, customer protection and market integrity. This assessment will determine whether additional regulatory action or guidance is required in the future. In the meantime, the reports from EU and UK regulators at the end of the year will give more clarity around their expectations and potential actions in the medium term.

However, the international and decentralised dimension of cryptocurrencies’ underlying technology, and the lack of regulatory harmonisation, make the regulatory task more challenging.

In this uncertain context, there is a case from both a regulatory and business perspective for cryptocurrency and ICO firms – both regulated and unregulated – to comply with the spirit and letter of the law for comparable regulated assets and services. Building relevant regulatory requirements into product design, governance and control frameworks of a firm will help it be better prepared for what we see as the inevitability of regulation.


This publication has been written in general terms and we recommend that you obtain professional advice before acting or refraining from action on any of the contents of this publication. Deloitte LLP accepts no liability for any loss occasioned to any person acting or refraining from action as a result of any material in this publication.


1For a list of cryptocurrencies:
2For data on the ICO market:
4For example, Bitcoin and Ethereum networks can support up to 7 and 15 transactions per second respectively, while the Visa network can handle more than 24,000 transactions per second. For data on the scalability of the Bitcoin network, refer to:; for Ethereum, refer to:; for Visa, refer to:
5For a definition of distributed ledger, refer to:
6For the FCA’s position, refer to:; for ESMA’s position, refer to:
7Refer to:
8For more information on trading firms’ initiatives around cryptocurrencies, see:
9For the FCA’s position, refer to:; for ESMA’s position on contracts for differences with cryptocurrencies as the underlying, refer to:
10Refer to Mark Carney’s speech at the inaugural Scottish Economics Conference:

11In the US, William Hinman, director of the SEC’s corporation finance division, recently gave a speech at a conference in San Francisco in which, while using the SEC disclaimer that his speech did not necessarily reflect the views of the SEC, he argued that it was possible that a cryptocurrency initially offered as a security through an ICO could further evolve into something different from a security, and closer to a commodity. In this perspective, and given the decentralised nature of cryptocurrency networks, applying the disclosure regime traditionally applicable to federal securities could prove irrelevant.
12These are digital passwords that enable users to receive and send encrypted information (or payments) so that unauthorised users cannot access or intercept it.
13The FCA stated in its Business plan 2018/19: “Cryptocurrencies themselves (i.e. those designed primarily as a means of payment/exchange) are not currently within our perimeter. However, some models of use or packaging cryptocurrencies bring them within our perimeter, making the landscape complex”.
14The risk assessment around cryptocurrencies and ICO features in the European Commission’s FinTech Action Plan, the EBA FinTech Roadmap, the FCA’s Business Plan, and the UK FinTech Sector Strategy.
15To read the text of the AML5 adopted by the European Parliament, refer to:
16The text of the AML5 defines a custodian wallet provider as “an entity that provides services to safeguard private cryptographic keys on behalf of their customers, to hold, store, and transfer virtual currencies”.
17Refer to:
18Refer to;
19The FCA warned about the risks of investing in cryptocurrency derivatives:; and the ESAs did the same on the risks of buying virtual currencies:
20Refer to:
21The UK Cryptoassets Task Force, which brings together the FCA, BoE and HMT, committed to report back in Q3 2018 (; in its FinTech Roadmap, the EBA said it would collaborate with EIOPA and ESMA to assess whether the current EU framework is appropriate to cryptocurrencies, and will publish a report and/or opinion addressed to EU legislators on the topic (
22Refer to Mark Carney’s speech:;



David Strachan - Head of EMEA Centre for Regulatory Strategy, Deloitte

David focuses on the impact of regulatory changes - both individual and in aggregate - on the strategies and business/operating models of financial services firms. David joined Deloitte after 12 years at the FSA, where in his last role, Director of Financial Stability, he worked on the division of the FSA into the PRA and the FCA.

Email | LinkedIn

Steven J Bailey0089_uncropped

Steven Bailey - Director, Risk Advisory

Steven is a Director within the UK payment practice. He has more than 15 years’ experience in assurance and advisory services specialising in providing technology risk and control services to the banking and payments industry. He has led major process, technology and regulatory reviews across many parts of the payments ecosystem including banks, schemes, networks and other providers.

Email | LinkedIn


Suchitra Nair - Director, EMEA Centre for Regulatory Strategy, Deloitte

Suchitra is a Director at the Centre for Regulatory Strategy and leads on technological innovation and regulatory strategy. She has over 15 years’ experience in the financial services sector gained in Audit, Corporate Finance and Risk Advisory teams. Prior to joining the Centre, she used to lead the implementation of large scale regulatory change projects at international banks.

Email | LinkedIn


Morgane Fouche - Senior Associate, EMEA Centre for Regulatory Strategy, Deloitte

Morgane is a Senior Associate in Deloitte’s Centre for Regulatory strategy, where she focuses on FinTech regulation. She joined Deloitte in 2017, after working as a consultant on competition policy at an international financial organisation. She also has previous experience working in academia and the French public sector. Morgane holds a dual degree in International Relations from the London School of Economics and the Paris Institute of Political Studies.

Email | LinkedIn



Verify your Comment

Previewing your Comment

This is only a preview. Your comment has not yet been posted.

Your comment could not be posted. Error type:
Your comment has been saved. Comments are moderated and will not appear until approved by the author. Post another comment

The letters and numbers you entered did not match the image. Please try again.

As a final step before posting your comment, enter the letters and numbers you see in the image below. This prevents automated programs from posting comments.

Having trouble reading this image? View an alternate.


Post a comment

Comments are moderated, and will not appear until the author has approved them.