Web3 mass adoption challenges: Regulation

In order to reach mass adoption, blockchain must be regulated. Without proper regulation, industry players are forced to operate in a gray zone, in which what's legal or illegal is unclear. In this environment, an adverse selection effect takes place; malicious players can thrive by exploiting the lack of rules and lack of comprehension of risks from clients, while well-intentioned players and big institutions are kept outside or operate in a restricted way, losing competitiveness.

However, regulation can also drive away innovation and delay an industry's development. In this sense, it's paramount for regulators to understand the technology and its implications in order to create laws and standards that protect the consumer while also fostering innovation.

In this article, we intend to discuss the state of blockchain regulation, and which aspects of it must evolve to enable mass adoption.

Commodities or Securities?

This is probably the most critical discussion regarding crypto regulation, currently. If deemed as a security, a token would be subject to the same regulatory oversight as other securities. For instance, blockchain projects would have to comply with the same rules that other securities issuers do, such as registering with securities regulators, disclosing financial information, and complying with reporting requirements – processes that are different depending on the jurisdiction. This can be time-consuming, and expensive, creating entry barriers to new entrants and turning global competition into a game for big players.

Trading also would be deeply impacted. Securities trading is usually conducted through licensed exchanges. This adds new layers of centralization to the listing system of these assets in CEXs and DEXs (centralized or decentralized exchanges). This would not only fix the marker favorably for consolidated players, but also would reduce anonymity, transparency, and the communities' decision power.

Arbitrarily categorizing Blockchain projects as securities could interfere with the innovation, potential process, and the velocity with which the technology is developed. In fact, this is generally true for nascent industries.

On the other hand, there are some arguments in favor of categorizing them as such. Stricter regulation would provide improved security for retail investors, reducing fraud and market manipulation. Beyond that, it would create legitimacy, encouraging institutional players, such as endowments and pension funds, to enter the market.

A discussion about securities

One of the most emblematic sets of criteria used to categorize an asset as a security is defined in the Securities Act of 1933, and in the Securities Exchange Act of 1934, in which the U.S. Supreme Court defines variations of the Howey test. The original version of the test has a set of 4 criteria:

  1. An investment of money;

  2. In a common enterprise;

  3. With the expectation of profit;

  4. To be derived from the efforts of others;

If a contract, scheme, or transaction checks all four criteria, it is deemed as a security. However, digital currencies are notoriously difficult to categorize. By being decentralized, they elude regulation in many ways.

The main reason for it is that the Howey test revolves around the idea that there is a central party or entity that investors rely on for their profits. In the case of cryptocurrencies, there is no centralized entity or authority controlling the network. Instead, there are decentralized participants contributing to the operation and maintenance of the network.

It gets even more complicated when thinking about networks, such as Ethereum, that use the Proof of Staking consensus mechanism. In this kind of network, the validators (decentralized participants that are held responsible for validating transactions and for maintaining the network’s security) have to deposit - that is to lock in a smart contract - native tokens that will hold yields over time. So, despite the decentralization, it ticks off some of the criteria of the Howey Test (staking).

It’s obvious that some projects do have similarities with securities, but there are some significant differences (e.g. different systemic risks). It’s useful to think about a seemingly simple question, which has many implications; Do cryptocurrencies present the same kind of activity and have the same kind of risks as securities? If so, the same rules must apply.

There is a great similarity in the end goal, i.e. investing money in pursuit of profit. However, the risks are not the same. The way blockchain works provides transparency by default and its decentralized nature eliminates problems, such as conflicts of interest - Thus addressing two systemic problems built into the traditional financial system.

We argue that many crypto projects shouldn’t fall under current security regulations. However, that doesn’t mean that there shouldn’t be any oversight. As has happened throughout human history, some rules must be changed in order to embrace new concepts. We believe that regulators must follow a middle path, regulating crypto based on the final purpose given for the token, much like what happens nowadays in real estate, in which a property-related activity could be classified as a security or a utility, thus creating a safe environment for investors whilst fostering innovation.

Of course, the participation of the crypto community in this process is imperative. Conversations between the public and private sectors should promote a better understanding of the topic and lead to better regulation.

The end goal should be creating a safe environment for innovation. To achieve this, however, it’s important to transform the image of blockchain as a huge gamble and speculation market, and reinforce its potential to be a new computational layer.

We will discuss the current state of blockchain regulation in different geographies later on in this article.

How to guarantee KYC and AML inside a decentralized environment

Being able to run KYC and AML analysis in crypto is fundamental to enabling mass adoption. These practices help to protect the system against money laundering, terrorism financing, and to make it more difficult to use it for illegal purposes in general. It is also vital for bringing security to the end user, enabling daily transactions and allowing big institutional players to enter the market.

However, blockchain technology is known for allowing trustless transactions, in which two parties don’t need to know each other’s identities in order to trust in the soundness of such transactions. This is not only desirable but necessary. In a blockchain, all transactions are, theoretically, traceable and trackable. Exposing users' identities is exposing their whole financial life.

In decentralized exchanges that inherently possess a trustless and permissionless nature, KYC becomes challenging. Furthermore, there is also the existence of privacy coins, mixing, and tumbler services. Privacy coins - blockchains whose main premise is guaranteeing anonymity - have implemented transaction obscuring methods, such as scrambling wallets or creating fake addresses. Mixers and tumblers also provide the same things for blockchains that do not have such methods implemented.

At the beginning of August 2022, the Tornado Cash project – a decentralized crypto mixing service – entered the OFAC (Office of Foreign Assets Control) sanctions list, with the justification being that criminals used the tool to launder money. Estimates point out that more than US$ 7 Billion have been laundered in the last 3 years at Tornado Cash, with much of the resources coming from the Lazarus Group, a hacking group in North Korea.

The sanctions apply to all US corporations and individuals that interact with the protocol, but questions remain as to the extent and enforceability of this restriction. Based on OFAC's position, centralized projects, which are easier to enforce, followed the mandate. One such example is Circle, which confiscated all USDC stablecoins linked to public keys on the OFAC list. What's novel about this episode is the fact that, for the first time, restrictions on financial interactions were enforced on wallet addresses, not on individuals, countries, or organizations.

Even centralized crypto projects find themselves in a gray area when it comes to regulation.

In 2019, the FATF (Financial Action Task Force), the main financial regulatory body in the fight against money laundering and global financial terrorism, formed by G7 member countries and 30 more signatories, included cryptocurrencies within the AML recommendations. The Travel Rule, formally known as FATF Recommendation #16, requires Virtual Assets Service Providers (VASPs) to communicate the information of the benefactors and beneficiaries of crypto transactions that exceed a 1,000 dollar threshold.

However, a March 2022 report by the institution itself pointed out that, of the 98 jurisdictions included in the report, only 11 implemented laws, supervision, and enforcement in accordance with the institution's recommendations. 36 did not even begin to discuss the topic.

Distribution of Bitcoin mining hashrate by country
Distribution of Bitcoin mining hashrate by country

In fact, the current main challenge regarding this subject is not technology. Even with all the previously mentioned challenges, crypto and KYC/AML are not incompatible. For instance, Coinbase and Circle are leading a project called TRUST protocol (Travel Rule Universal Solution Technology), which allows web3 companies to abide by the Travel Rule while ensuring user privacy.

Beyond that, there are already several initiatives working on connecting web3 players to KYC providers while delivering on-chain analysis about fraudulent, suspicious, and criminal activities. These initiatives are still taking a local approach since regulations and requirements change across geographies.

There are some areas (e.g. E.U. and Brazil) that are creating regulations in order to enforce KYC/AML processes on blockchain players. However, they are nascent regulations and their efficacy is yet to be proven. Here, the parallel with the beginning of the internet makes sense. Countries like the United States and Brazil approved the General Data Protection Regulation (GDPR) only in 2018, almost 30 years after the beginning of the Internet. To date, no global body defines guidelines/practices and enforces its laws within the virtual environment. The lesson is that, although essential, regulation follows technological evolution at a slow pace.

State of Regulation


In December of 2022, Brazilian regulators approved a bill that regulates the country’s crypto market. The new law focuses on regulating digital assets’ service providers, leaving out of its scope digital assets that might fall under the securities category; these are overseen by the CVM (Brazilian’s SEC equivalent).

These service providers must have a license from the regulatory entity - which is not yet defined - in charge of overseeing the market. These providers are defined as companies that, on behalf of third parties, offer one of the following services: exchange of digital assets for fiat (national or foreign); exchange between digital assets; transfer of digital assets; custody and control of digital assets or financial instruments related to digital assets (e.g. ETFs); and the taking part in or offering of services related to digital assets issuance or trade.

Furthermore, the new bill defines digital assets as a digital form of value that can be traded or transferred through electronic means and can be used for payments or investment purposes other than fiat, electronic currency (the digital representation of money in bank accounts), and utility tokens and securities (using the current Brazilian legal understanding).

The bill also creates good practices that the crypto assets service providers must follow which relate to competition, governance, transparency, risk management, information protection, consumer protection, soundness and efficiency of operations, AML, and anti-terrorism practices. It also creates new rules to fight against and punish crimes such as embezzlement and money laundering.

However, the crypto assets bill does not create the competent authority to oversee the crypto assets service providers, which creates a certain degree of uncertainty. Furthermore, it doesn’t cover the separation between clients and company funds, which is important to prevent misappropriation, as happened in the FTX.

In April of 2023, the CVM defined rules for what they call “fixed income tokens”. Despite the positive impact these rules imply for security for users, they implement higher degrees of bureaucracy for token issuers.

The new rules apply to tokens related to credit rights or debt securities, such as credit card receivables. The issuance of new tokens does not require CVM’s approval. However, the issuer needs to operate under the crowdfunding license, and can not surpass either R$ 40 million in revenue or R$ 80 million for the economic group. Furthermore, each token issuance needs to be spaced by 120 days and can not surpass R$ 15 million. Finally, and arguably the most concerning rule, is the prohibition of a secondary market among token holders.

This new rule presents some concerns. First, the issuers have to stop issuing new tokens until they get their crowdfunding license, and the 120 days window between issuances might reduce the market dynamism, or even make it prohibitive for some business models. Second, the revenue cap might drive away big players and venture capital investors from investing in these companies. And lastly, the prohibition of the secondary market might present reduced liquidity for token holders, thus disincentivizing this category of investment.

Despite some concerns about asset tokenization, market specialists and entrepreneurs are optimistic about the path Brazil is taking toward regulation. The country currently, according to the Chainalysis Global Crypto Adoption Index, is the crypto adoption leader in LATAM and is positioned in 7th place globally, making it better positioned than countries such as China and the UK. This new regulation might be a step further in making Brazil a global leader in crypto adoption.

Source: https://blog.chainalysis.com/reports/2022-global-crypto-adoption-index/
Source: https://blog.chainalysis.com/reports/2022-global-crypto-adoption-index/

The Brazilian crypto bill is not as comprehensive as the EU’s Markets in Crypto-Assets Regulation act (MiCA)  which will be discussed later in this article. However, it’s also not as specific as MiCA is, which might be positive. Blockchain is still a nascent technology. Its implications are not clear and its use cases are just starting to emerge. Wisely, the Brazilian regulation leaves room for further improvements as the technology evolves, while not leaving consumers unprotected and creating some degree of clarity for institutions.


In the US there is no broader regulation regarding crypto. Despite the existence of some voices in Congress that advocate for comprehensive regulation to create a safe environment for entrepreneurs and consumers, so far, US regulators' effective measures have not been pro-crypto.

In the US three different institutions are in charge of overseeing digital assets. The Financial Crimes Enforcement Network (FinCEN), the Securities and Exchange Commission (SEC), and the Commodity Futures Trading Commission (CFTC). Recently, especially after the Terra/Luna and FTX collapses, the SEC and CFTC have been adopting a strategy of ruling by enforcement. Without a proper regulatory framework, coupled with the uncertainty created by numerous lawsuits against crypto players in the US, a challenging environment for innovation in blockchain has been created.

Perhaps the most pressing issue is the uncertainty regarding which crypto assets fall under the securities category. Previous statements from SEC’s chairman, Gary Gensler, implied that all crypto assets but Bitcoin could be considered securities. However, recently, on April 18th, in a Congress Hearing, Gensler was unable to answer questions about the nature of ETH, and whether it is, in fact, a security or a commodity.

In the past 3 years, there have been several lawsuits against blockchain companies:

  • SEC vs. Ripple: Ripple emerged as a solution to provide financial institutions with low-cost and fast clearance of cross-border remittances, using their network and their native coin XRP to settle transactions in real-time. However, in 2013 Ripple used XRP to raise funds for the company in an ICO (Initial Coin Offering). Consequently, under the claim that XRP satisfies the Hawey test, the SEC sued Ripple in 2020 for selling unregistered securities to US investors. This is a lawsuit whose verdict the market awaits with bated breath since it may have profound impacts on the blockchain industry.

  • Kraken’s SEC settlement: In February of 2023, charges against Kraken, a crypto exchange, were announced. The central point of the charges was that Kraken's offering of a staking-as-a-service product to US consumers was equivalent to an unregistered security offering. To settle the charges, Kraken agreed to pay US$ 30 million and to shut down all their staking services in the US. This is an important event to the industry since staking is a technically challenging endeavor for individuals, and it’s a fundamental piece in the process of keeping networks such as Ethereum decentralized and secure. Banning staking-as-a-service products from the US might drive retail presence away from this kind of initiative and could be a major blow to the whole industry.

  • NYDFS and Paxos’s BUSD: Also in February, as a consequence of the Terra/Luna crash, the New York Department of Financial Services (NYDFS) started to investigate the stablecoin issuer Paxos, which was responsible for minting part of the Binance stablecoin (BUSD). Shortly after, this investigation resulted in a directive from the NYDFS, accompanied by threats of legal action from the SEC, which made Paxos stop issuing BUSD.

  • SEC vs Coinbase: In March 2023, Coinbase received an SEC Wells notice regarding an unidentified portion of Coinbase’s listed digital assets: Coinbase Earn, the platform’s staking service; Coinbase Prime, an institutional custody and trading solution; and Coinbase Wallet, a self-custodial wallet. These products should go under legal scrutiny. The consequences of the developments of this action should have a profound impact on US regulation, especially given that many previous attempts of finding a path for Coinbase to register under the SEC had no success.

  • CFTC vs Binance: Also in March 2023, the CFTC sued Binace’s CEO Changpeng Zhao (CZ,) and ex-chief compliance officer Samuel Lim for allegedly offering unregistered futures & options trading and breaking US laws. The main allegations are: 1) Despite the 2019 Binance ban, they incentivized clients to access their services through VPNs; 2) CZ has been counter-trading his own clients through several Binance accounts; 3) Binanced faked a compliance audit; 4) Binance had knowledge about criminals/terrorists using their platform and didn’t take action; 5) Bad management structure. Binance doesn’t have a board of directors.

  • SEC x Bittrex: In April/2023, the SEC charged Bittrex, a crypto asset trading platform, for operating an unregistered national securities exchange, broker, and clearing agency. The SEC’s main argument is that Bittrex traded unregistered securities - OMG, Dash, Algorand (ALGO), Monolith (TKN), Naga (NGC) and IHT Real Estate Protocol (IHT).

Due to the banking crisis and regulatory pressure, it’s becoming increasingly harder to perform the on-ramp and off-ramp of crypto - trading crypto for fiat and vice-versa - in the US. Most of the crypto-friendly banks (e.g. Silicon Valley Bank and SIlvergate) have been closed and potential buyers are prohibited from carrying on with the banks’ crypto-related activities.

In January of 2023, the Fed, the FDIC, and the OCC released a joint statement strongly discouraging banks from having exposure to the crypto market. Shortly after, one of the few crypto-friendly banks, Metropolitan Commercial Bank, shut down its crypto-vertical operations. And in the same month, the Fed and the National Economic Council respectively launched statements discouraging banks from holding crypto-assets or issuing stablecoins and strongly discouraging banks from transacting with crypto-assets directly or maintaining exposure to crypto depositors.

This is not a favorable scenario for the development of the blockchain industry. Despite some voices in Congress and US regulators calling for the proper regulation of crypto, in a broad sense, the US is driving blockchain innovation away. This regulatory turmoil is steadily causing the US to lose its lead in the number of blockchain developers, which are being captured by geographies such as Latam and India.

Source: https://github.com/electric-capital/developer-reports/blob/master/Blockchain%20Developer%20Geography%20Analysis%202023.pdf
Source: https://github.com/electric-capital/developer-reports/blob/master/Blockchain%20Developer%20Geography%20Analysis%202023.pdf


On April 20th the EU approved the Markets in Crypto-Assets Regulation (MiCA), which is the most comprehensive regulatory framework in the world.

The main goal of MiCA was to create a single regulatory framework in the EU, giving legal certainty to entrepreneurs/institutions, and eliminating the necessity of different licenses to operate inside the EU, thus fostering innovation while protecting the consumer.

MiCA’s central idea is the creation of 3 categories into which digital assets can fit, based on their use, application, and issuance method. Each category of crypto asset issuer has to follow specific requirements, given their risks and “relevancy”, an interesting concept used to not overburden early projects/innovation. MiCA has also established operational requirements for any Crypto-asset service provider, such as exchanges, Custody & Administration, portfolio management, and more.

Source: https://paddihansen.substack.com/p/the-eus-mica-framework
Source: https://paddihansen.substack.com/p/the-eus-mica-framework

Each category has its own definition and obligations. Here’s a summary of it:

  • Crypto-asset: A “digital representation of a value or a right, which may be transferred and stored electronically, using a distributed ledger or similar technology”. This category is obliged to notify their national competent authority and send their white paper containing relevant information about the project, such as the issuer, the risks involved, the used technology, tokenomics, and the environmental impact of the consensus mechanism. The whitepaper doesn't need to be approved, but it can be vetoed.

    • Utility token: A sub-type of crypto-assets “which is only intended to provide access to a good or a service supplied by its issuer”. It must follow the same requirements as crypto-assets.
  • Asset-referenced token (ART): Stablecoin-like tokens that use a basket of assets to maintain pegging. This category has to submit the whitepaper, however, subject to approval. The entity issuing ARTs needs to be incorporated in the EU, meet certain prudential “own funds” requirements (2% of ART supply), satisfy reserve management (with regard to segregation, custody, investment etc.) standards, and have wind-down and resolution plans in place.

  • E-money token (EMT): Aims at stabilizing its value by referencing the value of one single fiat currency, for example, USDC, USDT, BUSD, or EUROC. Only regulated e-money institutions (EMIs) or credit institutions have permission to issue e-money tokens. They are prohibited from granting interest to EMT holders and are obliged to have high-quality liquid assets as reserves.

  • Crypto-Asset Providers (CASPs): Players that intend to offer services - such as custody and administration of crypto-assets, operation of a crypto-assets trading platform, placement of crypto-assets and others - need MiCA’s license to operate. All of them will need to follow requirements regarding governance, safekeeping of assets, outsourcing, wind-down plans, information disclosure, and prudential requirements.

Regarding NFTs, it’s not clear yet what the impacts of MiCA are going to be. According to the final text, art is not in the scope of the regulation. However, large collections might fall under the non-fungible category so the asset and everything built upon will be regulated by MiCA. The main concern is that there are no established criteria, so it remains elusive as to whether a set of NFTs are under MiCA’s regulation.

The “relevance” concept is also worth discussing. It establishes triggers for more intensive oversight over projects and allows smaller projects to operate with minimum oversight, making it easier and faster to create new ideas and experiment with them. When the project becomes relevant and starts to pose higher risks, it will be submitted to stricter requirements. These relevance triggers are:

  • Reach more than 10 million holders

  • Reach more than €5 billion in market capitalization

  • Whether the number or value of transactions per day is higher than 2.5 million and €500 million, respectively.

  • Whether the issuer is designated a gatekeeper according to the Digital Markets Act

  • If it’s deemed significant on an international scale, including payments and remittances use cases.

  • The degree to which the token is interconnected with the financial system.

  • Whether the issuers offer additional ARTs, EMTs, or crypto-asset services.

There are some interesting discussions around MiCA. First, it does not encompass fully decentralized entities such as DAOs and DEXs. However, it encompasses services that are partially decentralized. One of the main questions here is how much decentralization is needed for projects to escape MiCA’s reach.

Furthermore, MiCA intends to eliminate the gray zones, which will probably give institutional players legal security to operate in the space. Furthermore, it creates a huge entry barrier for unregulated players that come from outside the E.U., that will no longer be able to actively pursue EU consumers.

Final thoughts

As previously discussed, regulation usually lags behind technological innovation. It’s expected, and to some degree, advantageous. Without a clear vision of which paths technology will take and the flexibility to change rules during the process, regulation might become a roadblock. This is precisely why we regard regulation frameworks such as MiCA and the Brazilian with such enthusiasm.

We believe that the community has an important role in the process of creating proper regulations. With the fast pace of innovation in the blockchain industry, regulators might fall behind. In this context, the presence of crypto self-regulatory organizations (SRO) might be positive. This public-private approach - similar to the role that FINRA (Financial Industry Regulatory Authority) plays in regulating the capital markets under the SEC’s supervision - may serve as a good complement to the federal regulators’ rules. A crypto SRO would give the industry a chance to have a voice and could play an important role in the more effective oversight of such a fast-growing and complex sector. Given their knowledge and familiarity with market practices, SRO members can lend genuine authority to industry experts and can be much more efficient when applying well-established rules.

Our outlook on regulation is optimistic. In order to reach mass adoption a comprehensive regulatory framework is needed. However, we believe that regulation must evolve; it doesn’t make sense to only regulate issuers and crypto asset providers while disregarding token applications. We believe that regulation must be calibrated towards token-specific use cases and risks.

To summarize, we believe that regulation is evolving and moving in a pro-industry direction. Despite big uncertainties regarding the US, many other geographies’ regulators - those that we discussed in this paper and those that we did not, such as Latam, Europe, Africa and some parts of Asia - are realizing the potential of blockchain technology and are taking a pro-industry approach. At some point, US regulators might be forced to approach the blockchain industry from a different angle.

In the coming years, we should see a wave of new business driven by the new blockchain regulations. This will allow the development of local ecosystems and a more competitive landscape, with the presence of new entrants but also incumbents.

If you like this content, you can find a deeper discussion about the state of crypto on our Crypto Paper, or if you are an entrepreneur with a Web3 / Fintech / Embedded Finance product, contact us, we are investing!

DISCLAIMER: This material is provided to you for informational purposes only. This is neither an offer to sell nor a solicitation of any offer to buy any securities in any fund managed by Iporanga Ventures (the “company”), nor is it an offer to provide investment advisory services. And the targeted performance contained herein is provided for illustrative purposes only and is not intended to serve as, and must not be relied upon by any person as, a guaranty, an assurance, a prediction of a definitive statement of fact, a probability or as investment advice.

Subscribe to Iporanga
Receive the latest updates directly to your inbox.
Mint this entry as an NFT to add it to your collection.
This entry has been permanently stored onchain and signed by its creator.