There’s a lot of noise out there about crypto law: armchair IANALs¹ opining about the Howey Test, while most real lawyers are confined to giving simplified generalities. Having spoken to many Dragonfly portfolio startups now about their legal and regulatory concerns, and previously being the first lawyer at Stellar, I’ve come to realize that most founders are totally clueless about how to navigate crypto law and regulation from an operational POV. Figuring out good practices is hard and time-consuming. Therefore, I present a distillation of “zero to one” practical legal considerations for operating a crypto project.²
Sincere gratitude to Marc Boiron for his helpful insights on this subject. Also, many thanks to Haseeb Qureshi, Zack Skelly, and Celia Wan for their careful review and feedback.
Why legal is so important
Crypto startups start off focusing on technology, marketing, and community but often overlook legal. It’s natural to get swept away building cool stuff and see legal as a footnote (“…but I’m decentralized!”).
However, this would be a mistake even though you think you are operating as an “anon”³: class actions, enforcement actions, criminal investigations, consumer harm, and unexpected taxes could be waiting for you around the corner. If it doesn’t hit you now, it may in five years. Don’t Dunning Kruger yourself into thinking you have legal figured out just because your Twitter image is a PFP and you’ve memorized the four prongs of the Howey Test.
Legal impacts product, operations, marketing, partnerships, and corporate structuring. There’s no boilerplate for crypto law given the rapidly evolving law and regulation, and different counsel may tell you different things depending on their level of conservatism and interpretations of current trends. Additionally, your personal appetite for risk will significantly impact your approach, so you must understand your own boundaries.
The aim of this article is to provide startup founders some operational tips that are informed by many years of up-close experience in crypto law. How do crypto startups set up legal such that they’re setting themselves up for the long haul? What are some common pitfalls? What infrastructure should they set up?
The goal of this article is not to explain crypto law 101. The 0x Legal Wiki curated by Jason Somensatto, though a bit dated, is still the best place to read about the basic legal regimes covering crypto. Also, nothing in this article is legal advice. It is critical that companies to get targeted legal advice from reliable, experienced external counsel.
That said, here are my 11 top pointers.
1. Structure your company correctly
Before you can receive VC funding, you need an investable entity that has completed corporate registration in your jurisdiction of choice, corporate organizational documents in place, and (when applicable) IP agreements in place with employees, contractors, and affiliates.⁴
Corporate structuring could have significant impact on tax liability, regulatory risk, regulatory obligations, and general liability. You should consider where you want to incorporate, if you’d like to use multiple entities, what entity performs what functions, who governs the entities, and what corporate form you’d like to use for each entity. Many protocols involve multiple entities, for example perhaps placing a token generation entity off-shore, a software development entity in a jurisdiction with great legal protections for software development, and an entity to host a front-end interface or perform business development. If the entities are properly structured and corporate formalities are observed, you should be able to isolate risks and obligations between entities.
Your corporate structuring decision doesn’t need to be all figured out by day one, but you should consult and work with your external counsel to make sure that your initial setup provides you the flexibility to expand in the future.
2. Set up internal policies
You need to set expectations with your co-founders, employees, contractors, and key ecosystem members about acceptable behavior. One bad apple can taint the reputation of the entire project. Some policies that I’d suggest all companies consider⁵:
a. Communications Policy:
Be aligned as a company on how to communicate what your product is, what your tokens does, the role of your company in interfacing with users and funds, and what your roadmap is. Set expectations with users on what exactly you can and cannot provide them due to the limitations of your technology.⁶ If your project is new, be sure to explain to users that your technology is in development, risky to use, and may result in loss of funds. Tell your team not to market or promise anything with regard to token price (how can you really know?) or with partnerships that are not set in stone.
What your team says in their Twitter, Discord, and Telegram, may be used to represent the company’s views unless clearly delineated. As an example, look at all the instances where Ripple executives and employees were cited in the SEC’s complaint against Ripple Labs, Inc. Make sure your team (especially the marketing team) understands the boundaries of how they can communicate.
b. (For token projects) Trading Policy:
If your project has a token, you may consider setting up a team trading policy such that the team won’t trade or front-run crypto based on material nonpublic information or perform or direct trades that could result in market manipulation. This builds community trust and avoids accusations of market manipulation.
You may consider an internal policy laying out lockup schedules and selling restrictions for your team.
c. Sanctions Policy:
Sanctions violations are strict liability offenses, so have some basic procedural checks to make sure you avoid that (e.g., make sure you’re not interacting with someone who resides in a sanctioned country, do a search on the OFAC database to make sure you’re not interacting with a sanctioned wallet or individual, consider imposing IP restrictions on your front-end).
3. Understand all your docs and communications may be discoverable — very little is truly private
Avoid bad jokes in your internal communications. In a regulatory subpoena or private class action discovery process, you may be required to hand over all messages you’ve sent and all your docs on a matter. This may also include recollections of phone calls and other ephemeral messaging. Avoid saying things that would look bad out of context.
The exception would be attorney-client privileged docs, but the scope of what falls under this category may differ depending on jurisdiction. Know that scope well if you’re discussing sensitive strategy.
4. Have accurate content
Make sure your website, social media, and other external facing messages are accurate and not misleading. Your website, marketing, and public messages are the top things potential plaintiffs and regulators will look at to build a case against you. Your users will also learn about your product from your content, and users may be harmed if they misunderstand the product.
Provide proper disclaimers and disclosures where appropriate so your users know what they’re getting into. Don’t make outlandish claims (9000% APY) without proper caveats and definitions.⁷ For front-end interfaces, make it clear what the front-end does and doesn’t do. Don’t describe your product using words in TradFi world for an analogous product without sufficient prominent caveats of how the products differ. Maybe just create a separate word for your product instead of using TradFi terms.
It’s worth it to have external counsel review your site and marketing materials at least once. They should rake through your website and point out your blind spots.
5. Have a Terms & Conditions page & Privacy Policy
You might want the T&Cs to include disclosures about your technology, limitations of liabilities, disclaimer of guarantees/warranties, risk disclosures and assumptions, descriptions of your marketing terms (e.g., what do you really mean by “free” or “APY”?), eligibility criteria for users to use your front-end or participate in certain benefits (e.g., airdrops), prohibited conduct, and restrictions in geography. Mandatory individual arbitration is now a standard and can be useful to avoid a class-action or group arbitration. If your product involves community interactions, consider a community behavior policy and content-moderation policy.
Your Privacy Policy should probably include disclosures and warnings about the permanence and fragile pseudonymity of blockchain transactions. Luckily, you can hire external counsel to help craft these policies. You can also look at examples from some of the leading projects in your field for inspiration.
6. Understand your intellectual property (“IP”) strategy
Most crypto protocols are licensed under permissive open-source licenses such as Apache 2.0 or the MIT license. The industry generally supports these licenses since they’re a boon for fast iterative innovation, but some projects may benefit from a bespoke approach, such as a license to discourage fast-follower forks. For example, the Uniswap 3.0 license deters forking within two years, and MetaMask’s license makes its software open to use unless you commercialize a fork and have over a certain number of monthly users.
If your codebase is open to public contribution, you should ensure that contributors assign appropriate IP rights for their code to an entity that can provide the project code under your license of choice. This is often done via a contributor licensing agreement, which is sometimes automatically embedded in the contribution process if you use GitHub.
Obtaining a trademark can be a powerful way to efficiently take down online fraudsters. Domain registrars and social media platforms are very responsive to claims of trademark violations. However, as with all IP, you have to identify the proper entity to own and enforce the IP. There is a double edged sword to IP: enforcement and ownership of IP could be seen as a factor against decentralization since the processes are reliant on a central entity.
7. Understand the tax implications of token issuance
If your project involves a token, make sure your company is appropriately structured by the time the token is released or sold. Once a token is released and the fair market value is decided by the market (alternatively, when a token interest is sold via a token purchase agreement or SAFT), the tax valuation of your company and tokens may change such that you are no longer able to give grants to employees that allow them to capture significant upside. This could also result in significant and irreversible tax consequences depending on your local tax regime.
You could choose to provide token incentives to employees in various different ways, such as unrestricted token grants, restricted token grants, token options, and restricted token units. The tax treatment and timing of these approaches differ significantly so speak to a tax lawyer to craft the most appropriate format for your project stage and plans.⁷
8. Don’t succumb to the pitfalls of crypto marketing
It’s tempting to get celebrities to hype your product. It’s a bad idea, though, to pay influencers (or anyone else) to promote your project unless you make sure the influencers disclose they were paid for such promotion.⁸
It’s a bad idea to make outlandish promises that are unsubstantiated in facts — you may get investigated for fraud if these promises don’t pan out.
Generally, using viral marketing techniques related to tokens — e.g., refer five people to get X tokens — will draw more scrutiny from regulators and may be a bad look for your project.
Don’t promise token price movement or even token volume. Generally, don’t promise things you can’t control.
9. Make sure to get experienced external legal counsel
Good crypto lawyers are worth their weight in gold, probably literally.
Hire counsel with prior crypto experience. While I’m open-minded to new crypto lawyers, it can be risky and time-consuming to work with counsel who has not previously done crypto-related product counseling, regulatory advisory, or financing deals. Better to hire someone that already knows how to spot and navigate the pitfalls.
Different lawyers will have different opinions. I’ve seen top counsel disagree on where startups should incorporate, the obligations of front-ends, whether a token is a security, and other key matters. Some are conservative; some will almost never say no. It may be worth getting a second opinion if a particular piece of advice seems unreasonable to you, but don’t “opinion-shop” to get a yes, or you may defeat the purpose of even consulting a lawyer. Ask other founders and your VC to find a high-quality, experienced lawyer for you.
10. It’s risky to be a copy-cat
It’s tempting to try to “copy and paste” strategies from other protocols that look successful. However, you still need to do your own research. Just from observing projects’ public presence, you won’t have full insight into what other protocols have structured internally to protect themselves. They may also be subject to different legal regimes, risk exposure, and risk preferences based on their team or various features of their product.
It’s also worth bearing in mind that enforcement actions are horrendously lagging indicators of “validity.” An enforcement action may not be publicly announced until many years later. Just because the SEC didn’t sue a company immediately for launching a product doesn’t mean it’s an implicit stamp of approval.
11. Don’t forget to decentralize
This one sounds obvious, but it bears repeating: If decentralization is integral to your legal and regulatory posture, don’t forget to decentralize. Have a roadmap of how you want your organization to release responsibility to the community and make sure to keep yourself accountable. For many projects, especially those in DeFi, your company’s goal in 5–10 years may be to no longer exist. Many projects get complacent in their decentralization plans, or aspire to metrics of success meant for traditional startups (“grow past 1000 employees!”) that really don’t make sense for a crypto project.
Conclusion
Great legal strategy is only one component of how startups succeed, but it’s an essential one. A lot of pitfalls can actually be easily avoided if you are knowledgeable and strategic at the outset.
As your project gains traction⁹, you should strongly consider hiring an in-house lawyer. An in-house lawyer will know your product, operations, marketing, and business intimately and will be able to give better risk-adjusted advice for your project.
Good luck out there!
—
Footnotes:
[1] Popular abbreviation for “I am not a lawyer,” for those not well-versed in internet-speak.
[2] I am a lawyer, but not your lawyer. Nothing in this article is or should be construed as legal advice. My suggestions may be wrong or inappropriate for your project. Please hire external counsel.
[3] Being “anon” may be useful to protect yourself from unwanted public attention in the short run, but most people aren’t paranoid and/or skilled enough to consistently maintain their anon status in the long run.
[4] Unless you are a DAO, in which case you may still be asked about your corporate structure since some people may not participate if there is no affiliated entity.
[5] I say “company” but these suggestions could also be applied to a “team” of people.
[6] For example, if you’re a non-custodial wallet, be explicit in your website that you do not manage private keys and cannot provide recovery services. This is critical to helping users understand their relationship with your company.
[7] For example, if you specify that your protocol can give someone a XXX% return, you should provide clarity on the conditions that are required for that to happen.
[8] This is serious business, see https://www.sec.gov/news/press-release/2020-246.
[9] This milestone will look different for different projects, but generally after a Series A or a ~$50 million post-money valuation would be a good time to start searching seriously. If legal is an integral part of your product or strategy, it would make sense to look even earlier.