Launching a new crypto project involves many moving parts and unsurprisingly, in most cases, the team has good reasons to push for going live as quickly as possible. The hectic timeframes, the tedious marketing efforts and even pure adrenaline might cause even the most prudent entrepreneur to neglect the legal exposures and pay the price.
An interesting reason crypto entrepreneurs are not allocating enough resources to legal issues is that the murky regulatory environment causes them to underestimate the risks. This is a big mistake since we are living in a reality of increasing enforcement efforts and stricter regulation in many countries almost daily.
Here are 5 extremely common legal mistakes that entrepreneurs do, and which can expose them to heavy fines and even criminal liability. All of them are completely preventable of course by consulting an expert legal advisor and committing to do the work involved in implementing some basic rules.
- Issuing Securities
One of the biggest legal exposures as an issuer of tokens is that the regulators will consider such issuance as an illegal sale of securities to the public. Many “standard” features of crypto projects such as liquidity, staking, continued development of the project’s platform and tokens distribution to the team might trigger the legal tests used by the regulators.
Here’s a link to an article I wrote which deals entirely with these issues, including the infamous “Howey test” and the ways to lower the chance that your investors will expect profits to originate from the team’s efforts and your tokens will be considered securities: https://zachizach.com/how-can-nft-and-tokens-issuers-make-the-sec-happy/
- Not performing KYC
While many territories still do not officially impose KYC obligations on many types of crypto projects, it is recommended that your project will run KYC checks, on all customers if possible. There are two good reasons for that. First, regulation is coming and fast. Second, many bank and other payment services providers will simply not work with companies that do not do KYC.
Performing KYC is a little more complicated than just collecting a few documents. There are many obligations that are meant to make sure that the project will be alert to any potential money laundering or other illegitimate money transfers, and which involve among others having a policy for identifying irregular transactions, strange behavior, and the like.
- Incorporating and operating in the wrong territories
The decision where to incorporate your company should be based not only on taxation considerations but also on regulatory ones. But finding a “crypto friendly” country is not the whole story. Some territories will allow this type of activity but will also impose strict rules which will limit it and will cost you a bundle to follow (including in legal fees).
Other territories might be easy (and cheap) to operate in, but you might pay by having less than perfect reputation and find it difficult to convince first tier services provider (including payment service providers) to work with you. Finding your best option can be tricky, but it will make your life easier in the long run.
- Using bad contracts
A well-drafted contract is key to protecting your interests and maintain your brand reputation. But even more important is to use the right kind of contracts. Should you use a SAFT (simple agreement for future tokens) or a Token Purchase Agreement? Should you sell equity to your investors or tokens? Perhaps both?
Your contracts should also cover all important regulatory issues related to the countries from which your investors come from, especially the ones that have strict limitations on purchasing crypto tokens. Finally, you want to disclose to your investors all relevant risks associated with the issuance of the tokens.
- Ignoring data privacy laws
It is virtually impossible to sell tokens without triggering the various privacy laws applying in your investors’ home countries. Whether it’s the GDPR in the EU, the CCPA in California or otherwise, sanctions imposed on companies which were found to be in breach of privacy laws are harder than ever.
In addition to a solid privacy policy, you will need to make sure your business is as ready as possible to meet any inquiry from a privacy authority and that your staff is fully aware of data subjects’ rights and how (including how fast) they should respond to requests of data subjects for deletion of their information, etc.