Overview

• In the past few years, there is a proliferation of use cases of block-chain technology including non-fungible tokens, crypto-currencies and smart contracts.
• This map will explore some key cybersecurity-related issues regarding block-chain including legal and policy frameworks as well as industry materials & practices.

Background

• As a relatively new technology, there is currently no specific legislation on block-chain in Australia. Under the current law, block-chain technology is indirectly regulated various legislative frameworks. Nevertheless, there has been extensive consultations, inquiries and studies regarding how Australia can better regulate block-chain technology.
• Early 2023, the Digital Assets (Market Regulation) Bill 2023 was introduced. It aimed to provide a framework for digital asset exchanges, digital asset custody services, and the issuing of stable coins, among other regulations pertaining to digital assets and designated central bank digital currency. Although rejected by the parliament, the bill is regarded as an important first step in the regulation of block-chain technology in general and cryptocurrency in particular.
• See ‘Blockchain & Cryptocurrency Regulation 2023’ for a recent summary of crypto-currency related laws. (Gilbert + Tobin, 2022)

Legal Framework

The financial services regime under the Corporations Act 2001 (Cth) and its cyber-security implications

Crypto-asset is a type of digital asset that operates on block-chain technology, that is, a decentralised distributed ledger that records transactions across different platforms or computers. It utilises cryptography to secure transactions and prevent tampering. There are different types of crypto-assets such as crypto-currency, non-fungible tokens and stable coins. (Australian Government, 2023)

Scope

The Australian Securities and Investments Commission (ASIC) Information Sheet 225 provides high-level signposts for crypto-asset participants. It explains that, under the Corporations Act 2001 (CA), crypto assets could be classified as financial products if they fall under the categories of managed investment schemes, securities, derivatives, or non-cash payment facilities.

• Managed investment schemes: A managed investment scheme is defined by three elements: people contributing money or assets to gain an interest in the scheme, the pooling of contributions for common financial benefits, and contributors not having day-to-day control over the scheme. (s 9 of CA)
• Securities: If the crypto asset or ICO offers rights akin to shares or options to acquire shares, it may be classified as a security under the Corporations Act. For instance, if the product offers the right to be issued shares in the future, it may be an option. (s 92 of CA)
• Derivatives: A ‘derivative’ is a product that derives its value from another ‘thing’ which is commonly referred to as the ‘underlying instrument’ or ‘reference asset’. The underlying instrument may be, for example, a share, a share price index, a pair of currencies, a commodity or a crypto-asset. (s 761D of CA)

If a crypto asset falls within the regulatory provisions dealing with financial products and financial services, the person(s) dealing in that financial product are required to hold an appropriate Australian Financial Services Licence (AFSL) or be an Authorised Representative of an AFSL holder. Furthermore, if issuing crypto assets that are deemed financial products, Australian laws necessitate holding an AFS license.

Cyber Security Obligations under Australian Financial Service Licence

Under ASIC Regulatory Guide 104, entities holding an AFSL must comply with licensing obligations relating to the security of client records (Regulator Guide, July 2015, RGs 104.93, 104.96). This article by Clayton Utz comprehensively highlights the cyber security obligations for AFSL under the CA. These include:

• do all things necessary to ensure that the financial services covered by its licence are provided efficiently, honestly and fairly (s 912A(1)(a) of CA);
• comply with the conditions on its licence, which include a requirement to establish and maintain compliance measures that ensure, as far as is reasonably practicable, that it complies with the provisions of the financial services laws (s 912A(1)(b) of CA);
• comply with the financial services laws (s 912A(1)(c) of CA);
• have available adequate resources (including financial, technological and human resources) to provide the financial services covered by its licence and to carry out supervisory arrangements (s 912A(1)(d) of CA); and
• have adequate risk management systems (s 912A(1)(h) of CA).

Note that the above is a list of obligations ASIC alleged in the recent proceeding of ASIC v Ri Advice Group Pty Ltd . This demonstrates ASIC’s stance on the issue of cybersecurity pertaining to AFSL.

The credit activities and services regime under the National Consumer Credit Protection Act 2009 (Cth) and its cyber-security implications

Scope

Cryptocurrency lending activities may fall under the ambit of credit activities and services as defined by the National Consumer Credit Protection Act 2009 (NCCPA). When such activities are within this scope, the entities involved may need to comply with the NCCPA regulations.

• Section 6 of the NCCPA outlines the definition of credit activity
• Section 29 of the NCCPA puts forward the prohibition on engaging in credit activities without an Australian Credit Licence

Entities engaging in cryptocurrency lending may be required to hold an Australian credit license unless they are otherwise exempt from this requirement under the NCCPA. Holding a credit license requires these entities to adhere to the standards and regulations set forth in the NCCPA, ensuring consumer protection and compliance with Australian credit laws.

Cybersecurity obligations for Australian Credit Licence Holders

This ASIC guide provides the general obligations for Australian Credit Licence holders:

• General conduct obligations include: (NCCPA s 47)
  • acting efficiently honestly and fairly
  • being competent to engage in credit activities, and ensuring your representatives are competent and being able to ensure your clients are not disadvantaged by any conflicts of interest that you or your representatives may have in relation to your credit activities
  • ensuring you and your representatives comply with the credit legislation
  • having appropriate dispute resolution systems (including both internal systems and being a member of an external dispute resolution scheme)
  • having appropriate compensation arrangements in place (which for some will include holding professional indemnity insurance)
  • having adequate resources (including financial, technological and human resources) and risk management systems
  • having appropriate arrangements and systems to ensure compliance.
• NCCPA also contains more specific obligations and requirements, including:
  • the responsible lending requirements (ascertaining and verify a consumer’s financial situation and assessing whether the credit contract is not unsuitable)
  • requirements in the National Credit Code dealing with precontractual disclosure and conduct in relation to the terms of credit contracts and consumer leases
  • maintaining trust accounts (if you hold money on behalf of another person while providing a credit service).

Anti-Money Laundering and Counter-Terrorism Financing Act 2006 (Cth) and its cyber-security implications

Australia's Anti-Money Laundering and Counter-Terrorism Financing regime is a comprehensive framework designed to prevent money laundering and terrorist financing activities under the Anti-Money Laundering and Counter-Terrorism Financing Act (AML/CTF Act). A key amendment to the regime came into force on 3 April 2018 to include the concept of digital currency exchange (DCE) and it aims to bring DCE providers under the same regulatory framework as other financial institutions, such as banks and money remitters.

Under the new laws, DCE providers, who facilitate the conversion between fiat money and cryptocurrencies are required to comply with various obligations to ensure that they are not facilitating illegal activities. Here are the key obligations for DCE providers under Australia's AML/CTF regime:

1. Register with AUSTRAC: DCE providers must register with the Australian Transaction Reports and Analysis Centre (AUSTRAC), the government agency responsible for preventing and detecting criminal abuse of the financial system.
2. Know Your Customer (KYC) and Due Diligence: Providers must perform KYC procedures to verify the identity of their customers. This includes collecting and verifying information such as the customer's name, date of birth, and address. They must also perform due diligence to understand the nature of the customer's business and assess the money laundering and terrorist financing risks associated with the customer.
3. Reporting: DCE providers are required to report certain transactions and suspicious matters to AUSTRAC. This includes reporting transactions that are above a specified threshold or that are suspected to be related to illegal activities.
4. Record Keeping: Providers must keep records of customer identification, transactions, and other relevant information for a minimum period of seven years. These records must be available for inspection by AUSTRAC upon request.
5. Risk Management: DCE providers must have systems and controls in place to identify, mitigate, and manage the risks of money laundering and terrorist financing. This includes conducting risk assessments, monitoring transactions, and implementing policies and procedures to manage identified risks.

Electronic Transactions Act 1999 (Cth)

Smart contract is a self-executing contract with the terms of the agreement directly written into code. Smart contracts automatically execute actions when certain conditions are met which reduces the need for any intermediaries. Smart contracts operate on block-chain and block-chain’s decentralised nature ensures transparency and immutability, meaning that once a smart contract is deployed, it cannot be altered.

The Electronic Transaction Act 1999 (ETA) governs the execution of self-executing transactions using blockchain or distributed ledger technology.

• Section 15C of the ETA validates a contract formed by automated message systems despite no natural person having reviewed it or intervened. Furthermore, section 8 of the ETA stipulates that a transaction is not invalid because it took place as electronic communication. This allows a smart contract to autonomously enter parties into legally enforceable contracts.
  • See Giancaspro, Mark, ‘Is a ‘smart Contract’ Really a Smart Idea? Insights from a Legal Perspective’ (2017) 33(6) Computer Law and Security Review 825
• The ETA acknowledges the legal enforceability of smart contracts, thereby subjecting them to traditional contract law principles like intention, agreement, and so forth.
  • See Nguyen, Son T, ‘Consumer Protection Against Unfair Contract Terms in the Age of Smart Contracts’ [2023] Federal Law Review

The ETA is designed to support the rising adoption of electronic transactions, including smart contracts, while also serving as a deterrent to contract fraud. It enables parties to legally ascertain the authenticity and validity of electronic data, thereby bolstering cybersecurity and reducing the potential for fraud in electronic transactions, including those involving automated contracts. See below for some provisions concerning the validity of, authenticity of and access to electronic transactions:

• The ETA allows for electronic signatures to meet signature requirements under the law. It specifies that a requirement for a signature under a law of the Commonwealth can be met in electronic form (ETA s 10).
• The ETA also covers the electronic production and retention of documents, where it specifies that the requirements to produce and retain documents under a law of the Commonwealth can be met in electronic form (ETA s 11-12).
• The ETA provides provisions for determining the time and place of the dispatch and receipt of an electronic communication and the attribution of electronic communications to the purported originator (ETA s 15).

The consumer law and unfair contract terms regime under the Australian Consumer Law, Schedule 2 to the Competition and Consumer Act 2010 (Cth)

• Smart contracts lack a distinct characteristic that would enable them to bypass the stipulations set forth in Australian Consumer Law (ACL), notably, Part 2-3 of the ACL, containing specific protections against ‘unfair’ contract terms.
  • See Nguyen, Son T, ‘Consumer Protection Against Unfair Contract Terms in the Age of Smart Contracts’ [2023] Federal Law Review
• Therefore, smart contract consumers are protected against unfair contract practices. If a term in a smart contract is unfair, it will be deemed null (ACL s 23).

Regulatory & Policy Framework

Organisations

Australian Prudential Regulation Authority

Australian Transaction Reports and Analysis Centre

Australian Securities and Investments Commission

Australian Competition and Consumer Commission

Blockchain Australia

Policies

Blockchain Australia – Code of Conduct

ASIC - INFO sheet 225 – crypto-asset

APRA - Crypto-assets: Risk management expectations and policy roadmap

Inquiries

• The National Blockchain Roadmap: Progressing towards a blockchain-empowered future
  • In February 2020, Australia has outlined a National Blockchain Roadmap focusing on regulation and standards, skills, capability, innovation, and international investment and collaboration. This roadmap is expected to guide the nation towards a blockchain-empowered future, underlining the government's commitment to harnessing blockchain's potential.
• Select Committee on Australia as a Technology and Financial Centre
  • The report delves into the realm of cryptocurrency and digital assets, 'de-banking' practices affecting Australian FinTechs and other businesses, and several other issues relating to Australia's position as a technology and financial centre.
  • Final report of the committee is released in October 2021.
• Token Mapping
  • The token mapping exercise is a foundational initiative aimed at developing appropriate regulatory settings for the crypto sector. This exercise seeks to identify how crypto assets and related services should be regulated. It was undertaken following a major consultation period and was seen as a step towards crypto reforms in Australia.
  • A consultation paper of the token mapping exercise has been published in February 2023 to explore which elements of the cryptocurrency ecosystem require additional regulation.
• Regulating digital asset platforms
  • The proposed framework aims to extend the existing financial services regulatory regime to digital asset platforms, especially targeting those with similar risks to traditional financial entities.

Reforms

• Digital Assets (Market Regulation) Bill 2023 (Cth)
  • The Digital Assets (Market Regulation) Bill 2023 seeks to implement certain recommendations from the final report of the Senate Select Committee on Australia as a Technology and Financial Centre. This includes providing a framework for digital asset exchanges, digital asset custody services, and the issuing of stablecoins, among other regulations pertaining to digital assets and designated central bank digital currency.
  • The bill was rejected in September 2023 by the Senate Economics Legislation Committee due to its lack of detail and certainty, lack of congruency with international regimes and the fact that it did not align with the government’s visions in general. The committee suggested to continue the consultation with the industry stakeholders (Parliament of Australia, 2023).
  • Consequently, the result of the token mapping consultation is still pending. KWM has created this fintech regulation timeline that encapsulates the ongoing consultation process.
• Privacy Act 1988 (Cth)
  • Block-chain technology is immutable, meaning that once data is recorded, it cannot be altered or deleted. This poses a potential conflict with the ‘erasure right’ under a proposed Privacy Act 1988 (PA) reform, which gives right to individuals to erase personal data upon request.
    • Under the Privacy Act review, which was undertaken following the recommendations of the ACCC’s 2019 Digital Platforms Inquiry, the introduction of ‘erasure right’ (proposal 18.3) to the PA’s legislative framework is a key recommendation by industry stakeholders, following Article 17 of the GDPR (Privacy Act Review Report – Attorney-General, 2022).
    • Subsequently, the Australian Government released its response to the Privacy Act Review in September 2023. Regarding the ‘right to erasure’, the government agreed-in-principle, demonstrating the its commitment to incorporate this right in the potential 2024 amendment of the PA (Government Response to the Privacy Act Review Report - Australian Government, 2023).

Standards

ISO/TC 307 - Blockchain and distributed ledger technologies

Industry Materials & Practices

101: The basics of blockchain for business (PWC, 2022)

The Legal 500: Blockchain (Gilbert + Tobin, 2022)

Blockchain 2030: A Look at the Future of Blockchain in Australia (Data 61, 2019)

What's next for cryptocurrency regulation in Australia in 2023? (Lander & Rogers, 2022)

Related Topics

Consumer Law