The Virtual Commodity Association and the Uphill Battle for Cryptocurrency Self-Regulation

Courtesy of Katarina Weessies

In March of 2018, Cameron and Tyler Winklevoss proposed the Virtual Commodity Association (VCA), a self-regulatory organization, or SRO, meant to make the cryptocurrency industry more “safe and secure.” An SRO is “a nongovernmental organization that is statutorily empowered to regulate its members by adopting and enforcing rules of conduct.” The VCA proposal is part of a wider trend of cryptocurrency SROs. Besides the VCA, other cryptocurrency SROs include the Japan Virtual Currency Exchange Association, CryptoUK, and OKEx. The Japan Virtual Currency Exchange Association was created in the wake of the Mt. Gox hack with a focus on cybersecurity standards that would prevent similar lapses from happening in the future. CryptoUK is a British organization similar to the VCA, focused on broad, voluntary reforms in the cryptocurrency industry. The proposed OKEx SRO is unique in that it would be an international SRO without a geographic base, with the stated goal of centralizing the cryptocurrency industry. These organizations are brand-new, and it is unclear whether they will have the success of traditional finance SROs, like the National Futures Association (NFA), or if the challenges specific to regulating cryptocurrency will lead them to fizzle out.

SRO Best Practices and the Unique Pitfalls of Cryptocurrency

While cryptocurrency is a new innovation, financial SROs are not. To analyze the effectiveness of self-regulation, it is necessary to first sketch out the key goals of financial sector regulation. Effective regulation seeks to preserve the integrity of the market, reduce systemic risk, and safeguard investors. Compared to government agencies, SROs have a unique advantage in accomplishing these goals because they have direct access to industry expertise and can more quickly update their rules to adapt to new technology or changing norms. They can also resolve disputes more quickly due to fewer procedural strictures and they do not rely on taxpayer funding, as they are typically funded by the industry they regulate.

The VCA was formed in response to certain problems particular to the cryptocurrency industry. Federal regulation of cryptocurrency is minimal, and state regulations vary significantly. Without comprehensive federal regulation, cryptocurrency firms that want to operate nationally need to navigate the regulatory systems of each individual state. The VCA aims to form unified, centralized guidance for cryptocurrency firms.

Additionally, the VCA was formed in response to cryptocurrency’s reputational problems. The industry is notorious for its scandals, hacks, and crashes. With little regulation, there are essentially no barriers to entry for cryptocurrency firms in most states. Many high-profile criminal enterprises have famously used the pseudonymous nature of bitcoin to evade detection. This has led many people to associate cryptocurrency with criminal markets, making it difficult for legitimate cryptocurrency businesses to gain traction.

Will Self-Regulation Work?

Since cryptocurrency is a relatively new industry, it is not yet clear exactly how the advantages and drawbacks of self-regulation will manifest themselves. Cryptocurrency’s unique characteristics create several obstacles to successful regulation. Cryptocurrency firms are notoriously vulnerable to hacks and many criminals use the anonymity of cryptocurrency to avoid leaving a paper trail when financing crimes. Furthermore, the libertarian origins of cryptocurrency may lead to industry-wide reluctance to comply with regulations. In addition to these industry specific problems, cryptocurrency SROs will need to tackle the core issue of transparency in self-regulation, ensuring that the regulatory organization is able to make rules, perform investigations, and discipline its members without corruption or undue secrecy.

The Transparency Problem

A notable problem with self-regulation is the relative lack of transparency and accountability. Governmental agencies must comply with transparency and disclosure requirements that are designed to hold them accountable to the public. An effective SRO will put policies in place to create transparency comparable to that of a government regulator. One important measure is the publicization of SRO rules, disciplinary actions, and significant deliberations. Educational outreach programs to industry professionals, regulators, and customers could also increase transparency.

The inclusion of both industry professionals and public advocates in an SRO’s decision-making process would also enhance accountability. If consumer protection advocates, former government regulators, or other public advocates have a seat at the table, SROs are less likely to move forward with industry-boosting decisions that run afoul of the public good. Most SROs are regularly inspected by government regulators. In some cases, SROs are required to provide written reports on their statutory compliance to government regulators whenever requested.

A problem that can arise in the regulatory oversight of SROs is coordination between the government regulatory organization and the SRO, and between different SROs. The role of government oversight of SROs is to counteract the potential transparency and accountability issues that could plague unsupervised SROs. On the other hand, if government oversight of an SRO is too thorough, overlapping duties and responsibilities could stifle innovation or lead to an inefficient use of resources that burdens both the government agency and industry actors, effectively removing the speed and efficiency advantages of the SRO.

A cryptocurrency SRO could also be held accountable by concerns about its reputation. Public awareness of cryptocurrencies is near universal in the United States, but the cryptocurrency industry is notorious for its instability. Cryptocurrency firms must counteract this perception to win the trust of customers and investors. While popular wisdom dictates that self-regulation contains an inherent conflict of interest wherein an industry is expected to burden its own earning potential, some self-regulatory goals, such as market stability and crime prevention, can expand a firm’s long-term earning potential. This is especially true for firms that seek to break from cryptocurrency’s shady reputation.

Many of the concerns associated with self-regulation are also present in traditional government regulation. After all, government agencies may be prone to corruption via too-close-for-comfort relationships with the industry professionals they are supposed to regulate. If cryptocurrency SROs employ transparency enhancing measures such as publicizing their decisions, including public advocates in decision-making, and government oversight, it is possible that cryptocurrency SROs could surpass government regulatory agencies in terms of transparency and accountability.

The Crime Problem

Cryptocurrency’s shady reputation is based on a litany of high-profile hacks, scandals, and crimes. The hacks of Mt. Gox, Coincheck, and Bithumb all happened within four years of each other, cost consumers hundreds of millions of dollars, and were covered extensively in the media. One of the most prominent uses of Bitcoin was the website Silk Road, where consumers could buy and sell illegal products. Silk Road was founded in 2011 and operated for about two years. The site has since been shut down and its creator jailed, but the potential to use cryptocurrency in the sale of illegal goods remains.

Although blockchain is an anonymous mechanism, it creates a public record of all transactions, making it possible to estimate the extent to which cryptocurrencies are being used in the commission of crimes. As of the beginning of 2019, only about 0.5% of Bitcoin transactions were dark web purchases. This adds up to a total of roughly $829 million worth of Bitcoin spent on the dark web. Of course, not all illegal uses of cryptocurrency happen on the dark web. Criminals, including criminals who primarily transact in fiat currency, can use cryptocurrency to launder their ill-gotten gains and evade law enforcement. Most major cryptocurrency exchanges have implemented Know Your Customer protocols that enable them to verify the identity of their customers and assess the probability that their exchange will be used in furtherance of criminal activity. However, some smaller exchanges do not have the means or the will to implement similar protocols.

The Culture Problem

Cryptocurrency’s libertarian roots casts doubt on whether the cryptocurrency industry can regulate itself. When Bitcoin was proposed in 2008, it was meant to be completely detached from any sovereign authority, the usual functions of government oversight being replaced by cryptography. This meant that investors would not need to pay mind to the factors governments use when deciding how to distribute, limit, or otherwise control money. This naturally attracted people whose ideologies were hostile to regulation. At the popular Libertarian festival, Porcupine Fest, almost every vendor accepts payments in Bitcoin, and the Libertarian Party in the United States accepts donations in Bitcoin. Among non-libertarians, Bitcoin political donations are rare; the Louisiana Republican Party, Democratic Presidential candidate Andrew Yang, and a few individual legislators accept donations in Bitcoin.

The cultural unity of cryptocurrency and Libertarianism creates obvious problems for those who seek to regulate or centralize it. It is unlikely that Libertarian cryptocurrency enthusiasts will happily submit to new regulations. Cryptocurrency firms with Libertarian leanings might be receptive to an SRO because they are industry-led rather than government-led organizations. That being said, a government-approved regulator, even if that regulator is an SRO, would likely be derided by Libertarian-leaning firms as stifling innovation. This could be a big problem for a cryptocurrency SRO, as a widespread culture of noncompliance could drive up the cost and difficulty of enforcing any regulations, and SROs could have trouble recruiting members because of the tendency to keep the industry decentralized. The degree to which a cryptocurrency SRO will face cultural noncompliance issues will depend on the extent to which Libertarian or broadly anti-regulation ideas still permeate the industry’s culture.

The Virtual Commodity Association

The VCA cites the National Futures Association (NFA) as one of its role models. The NFA is an American SRO that regulates the futures market. It is a mandatory, industry-wide, quasi-governmental SRO that develops rules advancing industry best practices and audits firms to ensure those rules are being followed. This is distinct from the VCA because the VCA demonstrates no intention to act as a mandatory, or industry-wide organization. Rather, its preliminary membership of four firms, and focus on expansive security protocols that might only be accessible to larger, more established firms, indicate that the VCA is seeking a smaller, more exclusive membership base. Additionally, it is unlikely that the VCA will operate as a quasi-governmental organization because it is unclear which, if any, government organization would oversee the VCA. The Commodity Futures Trading Commission (CFTC) oversees the NFA, and the NFA takes on many of the enforcement responsibilities that would otherwise fall to the CFTC, including performing investigations and assessing sanctions. Since cryptocurrency regulation in the United States is sparse and inconsistent, the VCA does not have a readily identifiable parent agency. Another point of contrast between the VCA and NFA is disciplinary transparency. The NFA’s disciplinary actions are publicly available, allowing futures industry professionals to check each other’s record with the NFA before engaging in business. The VCA has not published any plans to create similarly public disciplinary records.

To operate successfully, the VCA will need to avoid the transparency and coordination pitfalls that plague other financial SROs, while also avoiding the problems with crime and culture that are particular to cryptocurrency. The VCA working groups appear to have an aggressive agenda regarding members’ vulnerability to crime and often poor cybersecurity. The aggressive security protocols will likely improve member firms’ cybersecurity and their ability to prevent criminals from taking advantage of their services. Whether the improved cybersecurity for VCA members translates to the broader cryptocurrency market will depend on how effective the VCA is at recruiting members. Since the VCA plans to remain a voluntary organization, if it hopes to become large enough to exert influence over the whole cryptocurrency market, it will need to overcome the Libertarian leanings of many cryptocurrency enthusiasts. The VCA currently advertises no plan on how to address cultures of noncompliance should they emerge, and as a voluntary organization it has no power over nonmembers. This will damage its ability to meaningfully enforce any of its rules, no matter how effective the rules are. The VCA also displays a concerning lack of focus on transparency and coordination with government entities. If the VCA does not take clear, aggressive measures to improve transparency, it is vulnerable to being overrun by industry self-interest.

The VCA is in the early stages of its development and has yet to release a robust regulatory code like those enforced by most SROs. It does, however, have specific working groups tasked with developing rules specific to the unique challenges of cryptocurrency. These working groups seem tailored to the most prominent regulator and investor, specifically the elimination of criminal activity, market stability, and cybersecurity. Since the cryptocurrency industry is still new, there is a distinct lack of industry expertise that makes knowledgeable regulation difficult. The VCA combats the difficulty of finding expertise by populating its advisory committees with “regulators, exchange representatives, lobbyists and other cryptocurrency industry stakeholders.” There are currently no sitting regulators on the advisory committees, but most committees have a lawyer or consultant with a specialty in regulatory compliance. Once these working groups come up with specific rules, the VCA will enforce them through periodic examinations of members and the assessment of sanctions. Its current members include Bittrex Inc.; bitFlyer USA, Inc., a unit of Japan’s bitFlyer Inc.; Bitstamp, Inc. and Gemini.

The VCA will need to impose transparency and accountability measures to counteract the conflict of interest inherent to self-regulation. The VCA working group currently has four members, all of whom are major players in the cryptocurrency industry, and it is easy to see how emerging cryptocurrency companies might see the VCA as an attempt to enforce an oligopoly. This concern is amplified by the possibility that the VCA will not be beholden to any government regulator, which would mean less scrutiny over potentially corrupt actions, such as accepting bribes or engaging in cover-ups. The VCA has not published any transparency policies and none of its six committees are tasked with promoting or supervising transparency within the organization. It does not advertise any intent to make its rules or disciplinary actions public and does not seem to have any intent to organize educational outreach. The names of committee leaders are publicly available on the organization’s website, but other committee members’ names are not. Interestingly, the VCA does not list any leaders or members of its Tax Committee.

The VCA website states that its Board of Directors is established, but the only director listed on the website is the President, Yusuf Hussain, who is an executive at Gemini, and the Secretary, who is the Head of Legal and Regulatory Affairs at bitFlyer. The site states that the Board satisfies the “required number of independent directors” but has no additional details about the exact composition of the Board. The lack of transparency about the Board of Directors gives credence to the idea that the VCA is an attempt by a few large cryptocurrency firms to form an oligopoly. The lack of focus on transparency within the VCA, in addition to the independence from any government agency, casts some doubt on the VCA’s ability to stay transparent and accountable.

It is also relevant that none of the committees contain any consumer protection or public advocates. The committees are all composed of a combination of cryptocurrency industry professionals and regulatory consultants. This committee composition indicates that the VCA is much more focused on its member’s compliance with cybersecurity and crime protocols than its own transparency to consumers.

The lack of government involvement in the VCA, as it is currently constituted, could create cooperation problems between the VCA and other regulators. However, in terms of cooperation between cryptocurrency SROs, the under-regulation of cryptocurrency gives the VCA an advantage. If the VCA emerges from the working groups phase to establish itself quickly as a leading SRO, it will have lead time over any other regulatory organization, and its rules can serve as a blueprint for other cryptocurrency SROs. Since cryptocurrency is underregulated, the VCA is unlikely to have trouble coordinating with other SROs, but it might struggle to coordinate with the SEC. The VCA advertises prominently on its website that it “does not provide regulatory services for security tokens or security token platforms.” This is an attempt to emphasize that it has no intention of encroaching on the SEC’s power to regulate securities. The VCA uses its official language to subtly posture that it is willing to reject certain cryptocurrency firms that it thinks are dealing in securities. The name itself describes cryptocurrencies as commodities, avoiding the word “currency.” But it will have to determine for itself which cryptocurrencies and cryptocurrency platforms deal in securities.

The VCA is not completely without guidance as to whether certain cryptocurrencies are securities because of another organization, the Crypto Rating Council (CRC). The CRC rates the likelihood that cryptocurrencies will be treated as securities using a 1-5 ranking system, where a cryptocurrency ranked 1 is least likely to be considered a security. The CRC is backed by a number of respected cryptocurrency firms, including Coinbase and Bittrex, but it is not government endorsed, so its evaluations of which cryptocurrencies are likely to be treated as securities are educated guesses. While the CRC is an organization related to regulation, it is not an SRO because it does not have a regulatory code and does not actually enforce any regulations. Rather, it provides guidance for regulatory bodies, including SROs, for how they might best enforce regulations. Still, a government agency such as the SEC could easily enforce an interpretation of securities regulation that renders the CRC ratings irrelevant and causes any SRO system based on the CRC to start over or risk running afoul of the SEC. An SEC interpretation that runs contrary to a policy that the VCA has consistently implemented would mean that the VCA would need to spend resources recreating policies to fit new SEC guidelines. This could also harm the VCA’s credibility and turn away dues-paying members.

An important difference between the VCA and other SROs, like the NFA, is that the VCA is voluntary. NFA membership is required for meaningful involvement in the futures industry, which gives the NFA additional power over the industry. Firms that do not want to comply cannot simply resign their membership and keep practicing business as usual. The current VCA members are important figures in the cryptocurrency industry, but for the VCA to operate like the NFA or FINRA, it needs to be universally, or near-universally, joined by firms serving U.S. customers. Mass noncompliance with VCA rules would render the organization  powerless.

The voluntary nature of the VCA also grants additional power to government regulators should a power struggle occur. Where the NFA and FINRA might take the lead in investigating and sanctioning firms that violate government regulations, the VCA has no power to sanction the majority of firms. Another possible result of the voluntary nature of the VCA is the creation of a two-tiered cryptocurrency industry where “safe,” VCA-approved cryptocurrency firms attract big investors and function with a level of stability similar to that of more traditional financial markets. But because of the libertarian spirit of cryptocurrency, it seems doubtful that all cryptocurrency firms will submit to VCA membership. This could create a sub-market of unregulated firms where the notorious problems of the cryptocurrency market run rampant.

The VCA is particularly focused on cybersecurity. The voluntary status of the VCA might be a disadvantage here because the frequency and publicity of cryptocurrency exchange hacks threaten cryptocurrency’s stability as a whole. The Mt. Gox hack is a great example of the industry-wide effects of high-profile hacks. In 2014, Mt. Gox was briefly the largest cryptocurrency exchange in the world, but it was poorly run and vulnerable to hackers. During its heyday, Mt. Gox had no “testing environment,” meaning that every new element of the software was pushed onto consumers before ever being tried. It also did not use version control software, a type of software used by most software development companies that would prevent Mt. Gox employees accidentally overwriting each other’s code. Hackers had been taking advantage of the lack of cybersecurity measures for years, skimming off small amounts of money that Mt. Gox either failed to notice or failed to care about. Eventually, Mt. Gox’s cybersecurity issues came to a head when $460 million dollars worth of customers’ Bitcoin went missing, presumably stolen by hackers.

Cryptocurrency investors and consumers do not want their money to end up in the hands of a company like Mt. Gox. They want to know their funds are safe, and that they can recoup their losses in the event of a hack. The VCA can address this even within its small membership. If it enforces certain cybersecurity measures, investors might feel more comfortable transacting with member firms, and the VCA can therefore incent membership with a promised boost in clientele. However, the VCA’s voluntary nature would mean that it cannot avoid the shockwaves caused by high-profile hacks at nonmember exchanges. If an event like the Mt. Gox hack were to happen again, the subsequent downturn in the cryptocurrency industry would still affect VCA members.

The cybersecurity problem also implicates cryptocurrency’s role in crime. In a decentralized industry, criminals can evade detection by leveraging the anonymity of cryptocurrency, transacting across multiple platforms or exchanging between multiple wallets or type of cryptocurrencies. The VCA wants to address this through the BSA/AML and Market Integrity working groups. The BSA/AML working group is tasked with implementing Know Your Customer and Bank Secrecy Act controls. It is headed by Michael Carter, a regulatory consultant specializing in financial crimes advising and investigation. The Market Integrity working group is tasked with “cross-market information sharing, consolidated audit trails and cross-market surveillance to detect and deter manipulative and fraudulent activity.” It is led by Michael Roe, an anti-money laundering and corporate compliance lawyer. Since the VCA is still in the working group phase, it has not implemented any specific protocols yet, but the emphasis on cooperation across the industry and the retention of corporate compliance experts is a good sign. As evidenced in the Mt. Gox hack, some cryptocurrency firms can rise to the top of the market with laughable cybersecurity. Competent cybersecurity could raise the barrier to entry for VCA member firms in a way that assures customers and investors that their money will not disappear overnight.


While it is certainly possible that the VCA will successfully tackle crime in cryptocurrency markets, bring cybersecurity up to speed, increase market stability, and improve the industry’s reputation, the VCA still faces an uphill battle. It does not advertise any transparency policies or include any consumer protection advocates in its deliberations, and its disclosures about the composition and nature of its working groups are lacking. Its voluntary nature limits its ability to impact the greater market and it has no plan to counter a culture of noncompliance. While it has lead time over other government regulators and SROs, it may run into coordination problem with regulatory agencies like the SEC. Its policies regarding cybersecurity and crime prevention will likely be comprehensive and effective for member firms, but for the VCA to positively impact the cryptocurrency market as a whole, it will need to focus more on improving transparency and addressing cultures of noncompliance.

Leave a Reply

Leave a Reply

Your email address will not be published. Required fields are marked *