Subscribe to our blog
Get ahead with our award-winning insights on the latest developments in the fraud and compliance landscape. Enter your email below to receive our blog posts directly to your inbox.

Post Written by

Most ICOs are Securities Requiring AML and Compliance

Last week, the Canadian Securities Administrators (CSA) released notice 46-307 to initial coin offerings (ICOs) that impacts:

  • ICOs everywhere in the world with Canadian buyers
  • Exchanges that trade ICO coins to Canadian customers
  • Companies in Canada that are conducting an ICO

In this notice they list:

  1. How to tell if your ICO is a security
  2. Security regulations & potential exemptions to those regulations
  3. Why tokens for businesses are still regulated  
  4. Why exchanges are now regulated
  5. Cybersecurity requirements

1)   How to tell if your ICO is a security.

To determine if an ICO is a security in Canada has four requirements. It’s the ‘Howey Test,’ the same requirements as the United States. All the following must be met

i) An investment of money (including virtual currency)
ii) In a common enterprise
iii) With the expectation of profit
iv) [Work] to come significantly from the efforts of others

One good thing about this definition is that if you’re not a security in the US, you won’t be a security in Canada. Conversely, if your ICO is a security in US because of the Howey test, you’re also a security in Canada.

2) Security regulations and potential exemptions to those regulations

    If your ICO or ITO is deemed a security you must:

A) Create a Prospectus – a tremendous amount of work

i) no firm conducting an ICO or ITO has done this – The CSA has noticed, and are saying companies who have previously conducted ICO’s are securities and aren’t complying with the necessary regulation

ii) A whitepaper is not sufficient – Whereas a white paper specifies the technology behind the ICO and what you’re trying to build, the Canadian prospectus says that “investors must be provided with a document that complies with the requirements of securities laws”. This means that you need to know security laws to know what’s required

iii) Investors can sue for losses – The notice provides for “civil remedies against companies that fail to comply with securities laws, including a right to withdraw from the transaction and/or damages for losses.”

B) Potential Prospectus Exemptions – The exemptions are not any better

i) ICO issuers can only sell to accredited investors – Accredited investors are considered savvy enough to know the risk involved with their actions, however this limits the buyer pool significantly

ii) Offering memorandum – have slightly less regulations, but they are still onerous. You must:

a) Limit the amount a customer can purchase
b) Obtain a signed risk acknowledgement form from each investor
c) Provide audited annual financial statements and ongoing disclosure to investors, as required;
d) Comply with resale restrictions, which will generally preclude coins/tokens from trading on cryptocurrency exchanges; and
e) File reports of exempt distribution with the securities regulatory authorities (In Canada the securities regulator is within each province jurisdiction

3) Why tokens for businesses are still regulated  

Companies that claim their ICO isn’t a security because it’s for business purposes have provided the following factors, among others, for whether a person or company is trading in securities for a business purpose.

Are you:

i) Soliciting a broad base of investors, including retail investors
ii) Using the internet, including public websites and discussion boards, to reach a large number of potential investors;
iii) Attending public events, including conferences and meet-ups, to actively advertise the sale of the coins/tokens; and
iv) Raising a significant amount of capital from a large number of investors


What this likely means is that every ICO that touches Canada for business purposes has regulatory requirements. They must:

i) Verify investors’ identities – know-your-client (KYC)
ii) Scan sanctions lists (Office of the Superintendent of Financial Institutions) and review for Politically Exposed Persons (PEPs)
iii) Identify high risk customers
iv) Collect sufficient information – names, email addresses and/or IP addresses would not be sufficient
v) Have investor protections including limits on investment amounts and concentration, as well as risk warnings
vi) Provide monthly reporting to customers – statement of account
vii) Reporting to Federal Regulator (FINTRAC)

The CSA notes that businesses can fulfil their obligations through a robust, automated, online process. IdentityMind already has an online KYC process that supports these requirements.

4) Exchanges are now regulated

Canada requires that any exchange that lists securities be regulated. As ICO’s are considered tokens, this means that any cryptocurrency exchange is likely a marketplace and is required to comply with the rules governing exchanges including.

i) Businesses and individuals must apply to the jurisdiction’s securities regulatory authority for registration
ii) Individuals who are advising on securities must be registered with the provincial regulator which requires among other elements, an educational component to attain registration

5) Cybersecurity requirements

Persons or companies facilitating ICOs/ITOs of coins/tokens that are deemed to be securities must have strong compliance systems in place, with policies and procedures to include addressing cybersecurity risks.

Businesses in the cryptocurrency space should ensure that they have strong cybersecurity measures to safeguard the business and its investors personal and financial information.

The Notice doesn’t say what the remediation options are if there is a cyber loss, but the vagueness doesn’t preclude investors from successfully suing anyone whose personal information is breached or worse; loses money due to cyber-attack.

In summary, Canada has clearly specified that most ICOs are a security and will be regulated as such. Therefore, going forward, If a Canadian customer does manage to buy, they can sue for any losses if a prospectus isn’t filed. Therefore, going forward, companies are going to need to do the following:

  • Determine their status,
  • Register their business with the applicable provincial regulator,
  • Determine if an “advisor registration” is needed,
  • Create and file a prospectus with the provincial regulator,
  • Implement compliance controls,
  • Implement a robust KYC process,
  • Create an AML program, and
  • Report regularly where and when applicable
The Canadian KYC process for non face to face transactions is strict and includes one of the following:
  • Single Source Verification: verify the customer’s personal information such as name, address, and date of birth, using a credit file that has existed for at least three years
  • Dual Source Verification: verify the name and address from one source, and name, address, and date of birth, using information from two or more independent and reliable sources
  • Sanctions watchlist screening
  • PEP Screening
  • Record retention requirements
Moreover, these are not just words, these are strict requirements says Angela Chartrand, CEO of Sentinence, an AML Consulting firm based in Canada. “The Canadian Government is very interested in protecting its citizens and this notice demonstrates that. We can expect that they will be vigilant in monitoring and enforcing compliance.” This has been demonstrated by the Autorité des marchés financiers (AMF) in Québec who essentially shut down an ICO by PlexCoin.

IdentityMind helps virtual currency firms comply with Canadian KYC regulations in an automated fashion so that manual reviews are minimized and companies can be confident they will not get in trouble with the law.