How to Determine if your Security Token Offering was Compliant

We walk you through the questions you need to ask to find out if your token offering was truly compliant. For DSOs/ STOs/ ICOs/ that don’t pass the test, don’t worry, there are ways to get your offering back on track.

How to determine if your security token offering was compliant, and if not, how to fix it.

Over the last few years, numerous initial coin offerings (ICOs), security token offerings(STOs) and digital security offerings (DSOs) were offered or sold to U.S. persons. In July 2017, the SEC maintained that such crypto-assets meet the definition of a “security” and thus fall under the SEC’s jurisdiction.

Since then, the SEC has begun making its rounds. In November of 2018, CarrierEQ Inc. (Airfox) and Paragon Coin Inc., both of which conducted token offerings after the SEC’s public warning, were forced to return funds to investors, register the tokens as securities, and pay penalties.

What we are now observing is that any “self-reporting” token issuers taking prompt remedial steps in cooperation with the SEC has led the Commission to forego imposing civil monetary penalties. In February 2019, a company called Gladius took these ‘remedial steps’ and successfully avoided enforcement.

Horizon’s Rescission Software Solution was developed to address the rescission needs of a “self-reporting” token issuer while mitigating unnecessary fees on top of the baseline legal fees necessary to remedy a non-compliant token offering. From firms we’ve spoken to, issuers were said to have paid up to $70,000 in legal fees for simple services such as KYC/AML re-verification’s. We believe that, obviously, this is in incredibly steep price to pay.

So…whether you’ve already conducted your token offering or are gearing up to launch one soon, we created the following guideline on three primary points of concerns when it comes determining whether your offering is, or was, truly compliant.

1. Did your digital securities offering include US investors?

The caveat here is that this includes knowingly or unknowingly allowing US investors to participate. What many ICOs/ STOs/ DSOs did, especially in foreign jurisdictions, was exclude US investors entirely to avoid US regulation. The problem is, if a US investor still manages to invest in a token offering that was not registered or qualified for an exemption under Reg D, Reg S or Reg A, for example, the offering could fall under SEC policing authority. The big question here is did you and your team take the steps necessary to say with one hundred percent confidence that your offering doesn’t include US investors.

Quick side note: involving US investors is entirely possible and a great way to tap into a highly liquid marketplace. Horizon’s software suite recently powered a Switzerland-based DSO engaging US investors compliantly through the use of an SEC-registered Transfer Agent called Vstock. The TA is licensing our software portal known as Custodyware to issue and custody the tokens, ensuring a compliant offering.

2. Did you ensure proper KYC/AML was conducted?

As a quick form of reference KYC stands for ‘Know Your Customer’ which involves verifying investors’ identities and information pertaining to a particular investors’s risk tolerance, investment history and overall suitability to make an informed investment. AML stands for ‘Anti-money laundering’ and is used to prevent bad actors from investing in your offering with monies obtained illegally.

Many issuers attempt to find solutions which automate this process or outsource the verification process to third parties (some of which are based in other countries) to save time. This could be detrimental to the protection of your investors’ private information if a third-party gains access to this sensitive data and even violate Regulation S-P data protection standards enforced by the SEC if a broker dealer was engaged as part of the offering.

This is why, when it comes to KYC/AML solutions, the Horizon software solutions take the following into account which we’ll touch on briefly, so you have a basis to compare your current methods to.

1. We don’t perform KYC/AML verifications ourselves, rather we streamline the collection of data. Does your service store investor data? Seek services that keep all of your investors’ information in memory until a representative can download and review the submissions on an S-P compliant medium. For example we recommend clients use a FIPS compliant external hard disk. This ensures sensitive data doesn’t leave the issuer’s control at any point in time.
2. We incorporate advanced identity verification technology such as anti-gaming technologies, machine readable ‘MRZ’ scans, and security hologram checks for IDS. This, along with the above method creates checks and balances to block the Donald Ducks and Elvis Presleys of the world that made it into Bittrex.
3. We put investors through our AML software solution, AMLCop, and flag potential bad actors before reaching the back-end where issuers begin checking the KYC information. It’s important to keep a record of who and when someone was cleared and even have the option to re-AML investors if you’re hoping to offer a dividend at some point.

TL;DR when it comes to KYC/AML

It is imperative that you understand that the issuer is ultimately responsible and liable for making sure that all investors are properly KYC’d and AML’d. We believe it is not prudent to rely on a third-party who could further outsource the data to be verified. Make sure this data remains secure from start to finish, and investor data isn’t incorrectly stored or further outsourced.

3. How are you maintaining the identities of your token holders when it comes to onward sales?

This is an interesting topic, namely because the SEC has hinted that they do not consider the blockchain to be a valid source of truth when it comes to verifying the identities of investors.

This can make things tricky when you begin listing your tokens on ATS’s.

One solution that we’ve found was the use of a Transfer Agent. Although not required when it comes to an offering pursuant to Regulation D, the use of a TA allows the issuer to know the identities of investors throughout the lifecycle of a token offering.

This mirrors what’s done with traditional securities and means that proxy notices can be sent, voting can be done, dividends can be paid, and state and federal laws complied with for estate management and regulatory reporting. TAs have played a key role in traditional security offerings for years and could maintain this role as the industry evolves to digital securities.

Now with the wave of anticipation for Reg A+ token offerings to enter the market after Blockstack’s recent filing, the use of a TA becomes even more pertinent as it is required in Tier 2 offerings pursuant to Section 17A of the Exchange Act, unless Section (12g) exempt which is hard to accomplish as it requires an offering to have less than 500 non-accredited investors, less than 2000 investors of all levels, and for the company conducting the offering to have less than $10M in assets on its balance sheet.

Okay so you went through the guideline and one or two red flags were raised. Now what?

1. Don’t panic- It’s great that you’re taking actionable steps to keep your offering compliant and your investors protected. In fact, give yourself a pat on the back for that.
2. We’ve developed our Rescission Software Solution for you to help bring a non-compliant offering back into compliance. If you, or an issuer you know could benefit from this type of software solution, please reach us at horizon@horizonfintex.com or learn more at https://www.tokenetics.com/.

A snapshot of Horizon’s Rescission Software Solution