Luxembourg embraces distributed ledger technology
Luxembourg has embraced distributed ledger technology (DLT) and its associated benefits for some time, with several pilot projects initiated as far back as 2016 to facilitate transfer agency services through DLT. The first fund subscription using blockchain was carried out in 2017.
Several Luxembourg laws have been amended to facilitate the introduction of this technology, often referred to as the Blockchain laws 1 and 2. These allow: (i) account holders to hold securities accounts and register securities by means of secure electronic recording devices, including distributed electronic registers or databases such as blockchain; and (ii) the issuance of dematerialised securities via DLT.
In 2020 virtual asset service providers (VASPs) were designated as being within scope of the anti-money laundering (AML) laws and required to register with the Commission de Surveillance du Secteur Financier ( CSSF). The Luxembourg regulator has previously indicated that it adopts a techology-neutral approach to such innovation in the financial services industry. At the same time, it acknowledged that the integration of such innovation remains a "continuing challenge for regulators such as the CSSF".
On January 21, 2022, the CSSF published a non-binding white paper, which emphasises the risks associated with DLT and advises professionals to conduct a proper risk assessment when developing, providing, using or implementing DLT. The paper stresses the need for such risks to be clearly identified, mitigated and monitored throughout the life cycle of DLT use.
The white paper presupposes that the reader understands how the technology works and does not go into technical details, although it does provide a definition of DLT.
Streamlining business processes
The paper acknowledges the power of DLT to "streamline and digitise business processes by limiting or eliminating the need for reconciliations or intermediaries with the help of the DLT". In line with the CSSF's technology-neutral stance, however, the white paper makes neither a positive nor a negative assessment of DLT itself.
The white paper is broken down into three main sections which: (i) identify the main components of DLT and the different types of DLT available; (ii) highlight the roles and responsibilities of the different actors in the use of DLT (i.e., DLT developer, infrastructure provider, solution provider and users); and (iii) emphasise some of the main risks related to the DLT, both in terms of governance and technical risks.
The main components of DLT, which distinguish it from other traditional databases, are identified as: (i) the use of a consensus mechanism through the network of nodes; and (ii) the use of cryptography to ensure immutability, non-repudiation and authorisation of the transaction.
The white paper sets out instances when characteristics linked with different types of DLTs, such as access rights (public versus private; unrestricted versus restricted), validation rights (permissioned versus permissionless, semi-permissioned ledgers), and consensus methods, should be used to identify the appropriate governance and processes framework. This includes identifying how roles and responsibilities will be split between the parties involved.
The white paper identifies the main stages in the implementation of DLT-based solutions, detailing the parties involved and highlighting their responsibilities and contractual relationships.
The CSSF also provides a non-exhaustive list of cases in which it has observed DLT being used. Many of these are already known to market participants, such as know your customer (KYC), the transfer of funds and assets and fund distribution platforms.
Establishing a governance framework
The last section of the white paper poses a number of questions which a regulated entity wishing to use DLT should consider when establishing a governance framework, and when considering risk mitigation measures.
These include: (i) whether the use of DLT is justified, and which DLT model to use; (ii) how to manage changes at the DLT level; (iii) whether a licence or registration from the CSSF is required; (iv) liability in case of malfunction of the DLT and what dispute resolutions mechanisms are available; (v) the procedure to enforce court decisions; (vi) legal effect and interpretation of smart contracts; (vii) mitigating risks associated with the design of DLT and its consensus algorithms; (viii) management of DLT's cryptographic keys; and (ix) mitigating traditional information and communication technology risks not directly relating to the use of a DLT.
The CSSF has created an innovation hub which aims to encourage openness and make it easy for those wishing to present an innovative project to contact the CSSF to discuss the project. The white paper provides valuable guidance to initiators of new projects on how to approach the regulator.
The framework surrounding DLT is fragmented, and General Data Protection Regulation (GDPR) and privacy concerns should not be underestimated.
The regulatory environment, including the Markets in Financial Instruments Directive (MiFID), is continually being adapted at EU level as part of the EU digital finap' nn"kaae. A proposal for a pilot regime for market infrastructures based on DLT has been published by the EU commission, and market participants are already aware of Markets in Crypto-asset: regulation (MiCA) and the Operational Resilience Ac (DORA).
Recently the LuxSE, as part of a wider digital agenda, has admitted the first financial instruments registered on a public DLT to its Securities Official List, although these are not admitted to trading. These moves are aimed at providing enhanced visibility for security tokens and their issuers, as well as facilitating the dissemination of indicative prices and securities data for such tokens.
Article originally published by Thomson Reuters.