Katherine Wu on regulation in crypto, and the cost of grey areas

Tonysheng.com is supported by the generosity of its members. In addition funding the free weekly essay (published on Mondays), members receive an additional members-only analysis that is timely and substantial and transcripts to interviews (like this one!). You can become a member for $12/month or $100/year. The following is a sample of a members-only interview transcript.

Katherine Wu is the head of BD at Messari and a well-respected commentator on regulation in crypto. Follow her on twitter and read her writings on Messari’s excellent newsletter, Unqualified Opinions.

TONY SHENG: Do you get really excited about regulation in crypto?

KATHERINE WU: God, you have no idea. It’s so funny because Ryan (Selkis) actually just this week was like, “I don’t think people realize just how much of a policy nerd you are at heart–it’s not an act.” It’s not an act at all. I get so excited when there’s some kind of a new enforcement or policy. I’m like, yes! No one bother me, I’m putting in my headphones, don’t talk to me until I’ve read this from top to bottom.

TONY SHENG: Why do you think that you like it so much? Why are you so naturally curious about it?

KATHERINE WU: I’ve been on the other side at the SEC and I know how much work goes into it and how the process works. It’s two areas that I really care about. I’m not a lawyer and I don’t do any legal work, but I’ve received so much legal training, it’s been my life for the past half decade. You don’t stick with law for that long. You don’t stick to that sort of commitment unless you really find enjoyment out of it. It’s law, but it’s applied to crypto which all of a sudden makes it really exciting. And you know, coming from the securities background, I’ve been following all the enforcement actions as they’ve come out–I can still count on my fingers the number of cases that had been released. When you can recall cases that’s been brought by the various agencies that I’m familiar with, it makes it kind of fun. You can make that sort of connection.

TONY SHENG: Regulation and enforcement has been such an awkward and recent facet of crypto. In the past there were a few stories around and a lot of ties to crime, like Mt. Gox. But it didn’t really seem like a featured such a prominent role in the space. Now, it seems like the primary stories are around regulation. Why is that?

KATHERINE WU: 2017 in the ICO world would make anyone uncomfortable. You can be the biggest advocate of crypto and still be super uncomfortable with the way that the market has just exploded alongside the number of very scammy projects. Anyone would look at that and think, that’s terrible–how do we stop that? We’re all socially conditioned to want to stop that behavior.

It’s also the mainstream media. This is a very sexy topic to talk about. It’s internet money and it’s a cool sounding sexy sounding topic and it’s easy to write stories on and easy to sensationalize things. So the combination of retail investors generally getting hurt, people being able to raise money that shouldn’t be able to, and the stories being sensationalized. It’s one of those things where everyone’s going to start taking notice. And it sucks because there are genuinely awesome people who are building cool stuff in space (like Decentraland). But you also have, certain projects where people don’t understand the law or just blatantly ignore it.

TONY SHENG: You said something kind of curious just now that people are raising money that they shouldn’t be able to.

KATHERINE WU: You shouldn’t be able to raise $50 million dollars off of a white paper that’s plagiarized–that’s not even real.

TONY SHENG: Just to play purely devil’s advocate. Why not?

KATHERINE WU: I mean, it just feels wrong. It’s irresponsible to be like, you’re dumb and gave me money so good luck next time. That’s not being a good citizen. It’s a shitty thing to do.

TONY SHENG: What’s the role of the SEC?

KATHERINE WU: Let’s not even go to the SEC for a second–my major problem is, okay, fine, if you want to make an investment, I don’t want to stop you, but at least put out information that will enable someone to make that decision.

TONY SHENG: So insufficient disclosure is the problem.

KATHERINE WU: Yeah. If you’re going to buy a stock and it’s a dumb investment decision. Okay. If you’re very, very insistent on it and no one can stop you fine. These companies you can buy their stock because they have so much information out there. Right? Like you look at any risk factor in any filing. Those are pages long and you can make bad decisions, but at least the information is there, right? If you want to make a bad decision, make an informed decision.

TONY SHENG: Who decides what is the right amount of information?

KATHERINE WU: It’s a new industry so everything is a bit of trial and error. I think the most important thing is open communication. So like with anything that you’re asking, it’s not just unilaterally being decided by one party, I think it’s about having conversations and talking to people. The more you talk to people, the more you communicate and the more you ask about what are the important things that matter to various parties, the more you can reach consensus.

TONY SHENG: Let’s talk about a specific event that happened a few weeks ago. ShapeShift, a very popular crypto exchange that didn’t require users to create accounts said they were adding a new feature where everybody had to create accounts. People were pretty unhappy, understandably, and you wrote an incredible twitter thread digging into why this might have happened and alluded to pressure from regulators and maybe even the potential of criminal charges. Can you help me unpack this?

KATHERINE WU: To recap, ShapeShift came out of seemingly nowhere and said, we’re going to start implementing these quote unquote memberships, which I think was a nice way of saying we’re going to force you to create accounts? Prior to this announcement, you could go and exchange different kinds of cryptocurrencies without having to do anything more than creating a username without giving any sort of really detailed personal information.

People were kind of taken back, especially knowing Eric (Vorhees) because he’s an OG figure in the crypto space that’s always been super outspoken about his libertarian viewpoints. So there were a number of reactions: one was, anger, justifiably so and another was confusion–like why is he backtracking? When I first read the announcement, my first thought was that this is about AML because ShapeShift arguably could be a money service business under the definition of FINCEN, which is a bureau of the US Treasury. And if they define you as a money service business, you have to go through a whole host of procedures operationally.

And that includes this thing called KYC–know your customer. There are a lot of reasons why KYC strengthened immediately after 9/11. KYC or AML were really implemeneted to combat potential terrorist financing. So the Patriot Act, which was passed immediately in the aftermath broadened that power because–there was a global proliferation of anti money laundering laws and worldwide investigations. And of course now we know that KYC and AML not only negatively impacted terrorist financing (which is good) but also accidentally put domestic and international businesses at risk. AML is clearly not targetted at small businesses but they are now forced to start doing KYC–which has a lot of costs.

Does ShapeShift exist because they want to launder money or finance illegal things? No. Right. And you can say the same argument for a lot of companies, but like I said, you know, this is the law and if they define you as a certain type of business, you just have to comply with the procedures in order to operate in the country that you want to operate in.

So what are the next steps for ShapeShift? Implementing accounts because they need to start collecting information. That seems to me like a very standard first step towards KYC compliance, which is getting user information. A lot of people think because ShapeShift is not a US company, they don’t need to comply. But shape shift not only runs operations or parts its operations out of Denver, they also serve a ton of US customers. Simply serving US companies puts you on the hook.

TONY SHENG: It seems like any entity that’s handling cryptocurrencies and moving them from one party to another would be subject to the same rules. Right?

KATHERINE WU: If you’re a centralized company, yes. For example, you can clearly point to ShapeShift. There’s an office and a group of people running it. And when you can pin responsibility, then you can force compliance that way.

TONY SHENG: There was another story where 1broker was shut down temporarily in the US for insufficient KYC compliance.

KATHERINE WU: The 1broker case is actually a little bit different from ShapeShift. ShapeShift is in FINCEN’s jurisdiction. 1broker was brought on in parallel by both CFTC and the SEC, which are separate agencies–which is very uncommon because both of these agencies regulate very different things. The SEC regulates securities and the CFTC broadly speaking, commodities and futures.

Both of these agencies were able to bring this case because the quote unquote contracts for difference in question had both commodities and securities as underlying assets. And the funny thing is that in the two complaints, each agency characterized the same instruments differently. So the SEC called them securities based swaps and then you had the CFTC calling them essentially look-alike futures. This is a weird intersection of enforcement where it really should have been separately operated but overlaps here. And so I think we’re either seeing potential for inter-agency coordination. And this could be an interesting jurisdictional battle. A lot of people conflate all these different agencies. But the reality is that all these agencies regulate very different things.

TONY SHENG: In crypto, the jurisdictions aren’t super clear yet.

KATHERINE WU: This is why this case was super interesting. The SEC works with the Department of Justice a ton because the SEC can only enforce civil punishments, which means they can only fine you or bar you from selling securities or whatever. They can only do that to you. They can’t criminally charge you. That’s where the Department of Justice comes in, which makes sense. But the CFTC is also a civil law enforcement agency. So it’s very strange to see a parallel action with the CFTC and the SEC.

TONY SHENG: It feels like even if you’re not operating in the US, the agencies can reach you if you touch US users at all.

KATHERINE WU: Oh gosh, there’s this whole course in the first year of law school called civil procedure and you literally learn a whole semester of different ways you can sue someone and there are thousands or hundreds of rules that you literally have to just know. The reason why I bring this up is it’s not just about personal jurisdiction. It is about where your customer is based, but also whether or not you as a business are even taking steps to try and avoid doing business in the country.

So for example, personal jurisdiction is, say, US citizen. There’s also this other kind of more general one called special jurisdiction, which looks at are you purposefully doing business in the United States versus doing it by mistake. They can look at a number of factors like how many US customers are you actually serving? If it’s just one or two accidentally, it’s hard to say that you acted intentionally to serve US customers. They could also look at how much money has been made on these services? Right? Are you actually trying to stay away? Are you at least trying some block US users or something?

TONY SHENG: Just make a good faith effort.

KATHERINE WU: Yeah, exactly. Make a good faith effort. Regulators so far have gone after cases that are blatantly violating rules or think that they’re above the law. You know, I don’t think they’ve gone after the really good faith actors who are trying to abide by what’s right. To be honest, the agencies don’t have the resources to do that. The SEC, for example, they just don’t have that many employees.

TONY SHENG: The takeaway that I can’t help but come to is that if you want freedom from surveillance or censorship even just hypothetical but possible censorship and surveillance, it’s not going to happen through the centralized companies. The only way to do it is through something that is actually truly private and not under the control of any one entity.

KATHERINE WU: Just be truly, truly decentralized. Right? That term’s been thrown out a lot. But the fact of the matter is that most things are centralized right now.

TONY SHENG: Let’s dig into that a little bit. What’s the worst that could happen if you created network that provides the same service as ShapeShift. If it was like one of the ICO projects in 2017 where there’s a foundation and a figurehead–there’s probably risk to those folks. Do you have to have an immaculate conception and anonymous open source contributors? What degree of decentralization do you need?

KATHERINE WU: I don’t know. We haven’t seen many cases. It’s sort of the key man risk, right? Okay, if I go after one person and bar them from doing this is your entire company or entity or service going to go down? And if I can tag that, then it’s probably not as decentralized as you think it is. I don’t know what ultimately the quote unquote legal definition is going to be. So I’m just spitballing here, but that seems like a common sense conclusion to me.

TONY SHENG: Could a regulatory body or law enforcement agency come after a user for using a network that they don’t like?

KATHERINE WU: That would be way down the line. For now we are seeing them coming after, not the direct issuers but the intermediaries. We saw the SEC go after a broker-dealer. It’s the people who facilitated your unregistered security.

TONY SHENG: Yeah. And the broker dealers are the ones that helped form the capital.

KATHERINE WU: My hunch is this also extends to, for example, lawyers who are in this space because if you’re the one that signed off on something that’s clearly not legal, then you can also face penalties. Enforcement is going to target direct issuers and intermediaries in the meantime.

The gray area is hard and the regulatory uncertainty is hard and unfortunately for any businesses that are outside of the US, the questions I think slowly becomes, okay, well how important are US customers? And that’s not good. You don’t want to squash products or innovation from happening within the US borders. So if more and more companies are located abroad or skip the entire US, that’s ultimately bad. So that’s a question that I think regulators have to grapple with.