STOs in Europe and Security tokens: demystified compliance

19 August 2020

In the last years, investing in early-stage companies has been extremely lucrative (especially for the borrowers). The number of scams perpetrated during the it’s-so-easy-to-run-an-ICO period, together with the amount of nonsensical ICOs, caused investors to quickly lose interest in the Blockchain market. But times are changing, and STOs in Europe are becoming more and more popular. In this article, I would like to tackle this topic from a regulatory compliance viewpoint and demystify the false beliefs in and around security tokens. 

Many ICOs have brought unprecedented results, but STOs in Europe are rising

According to PwC, the 15 biggest token offerings since 2016 raised almost 10 billion USD. Among them, 5 (EOS, Telegram, Tatatu, Dragon and Kinesis) were based in offshore jurisdictions and raised approximately 6.9 billion USD. 

Unfortunately, together with those and other successful Initial Coin Offerings, many others have been launched, with severe compliance gaps. In other cases, investors just lose their money. In many different circumstances, ICOs have been performed for meaningless projects in terms of technology or business perspective. 

More recently, the market sees an astonishing rise of Security Token Offerings (STOs):

  1. STOs are establishing themselves as the pivotal Blockchain-based crowdfunding instrument. After an intense but volatile development throughout 2018 and the first half of 2019, STOs reached quite low funding volumes in the second semester last year. Though, a stable and regulated infrastructure will drive prominence of STOs in the financial and investment market landscape.
  2. More and more, security tokens are directly issued by corporate entities. Banco Santander (Spain), Bank of China, Societe Generale (France) and The World Bank (USA), to name a few examples, raised more than EUR 2.5 billion by the tokenisation of bonds. 
  3. The tokenisation ecosystem is already in place (and is growing). The number of tokenisation companies is such to provide the market with critical benefits, like increased liquidity, faster settlement, lower costs, sustained risk management. Many of these companies are based in the USA, but Asian and European players are taking the stage. 

How to run an STO?

Legal professionals say that, in their space, there are easy cases, complicated cases and the securities law. Jokes aside, when it comes to the securities law, and especially to the international securities law, every situation is unique, the substance prevails on the form, and no one-size-fits-all solutions are available. 

It’s in the promoters’ interest to comply with the securities laws of both the issuing and the investors’ jurisdictions. I tried to summarise some key elements to be taken into consideration when planning to run an STO in Europe, in four selected jurisdictions: England and Wales, Estonia, Liechtenstein and Switzerland.

England and Wales

In October 2018, the HM Treasury, the Financial Conduct Authority (FCA) and the Bank of England categorised crypto assets into three types of tokens. The British watchdogs are of the opinion that security tokens are those tokens that meet the definition of “specified investment” (as set out in the Financial Services and Markets Act 2000 (Regulated Activities) Order 2001, or “RAO”) and possibly also “financial instruments” within the meaning of the MiFID II. Tokens that grant their holders some of the rights conferred on shareholders or debt-holders fall within this category. 

“Specified investments” under the RAO are, among the others:

  • shares;
  • bonds, debentures, certificate of deposit;
  • warrant and other instruments giving entitlements to investments in shares, bonds, debentures, certificate of deposit;
  • certificates representing particular securities;
  • units in a collective investment scheme.

The FCA recognises that there are areas of a lack of clarity when it comes to the regulatory regime applicable to crypto assets in general. That is why the regulator has put in place specific mechanisms to support companies seeking certainty on the regulatory treatment of their products or services. In so doing, FCA takes a technology-neutral stance: irrespective of the technological solutions used, it is the underlying activity or asset which consents to assess the applicable regulatory perimeter. 

While there are many exceptions, a prospectus is required before a security token is offered to the public or is admitted to trading on a regulated market. 

The process to have a prospectus approved could take between 3 to 5 months. It all depends on the complexity of the business, and its capacity to provide the regulator with the relevant information required. 

Our Blockchain Compliance Rank gives a 7.46 score (on a scale 0 to 10) to the United Kingdom, which is therefore considered a “very safe” jurisdiction for crypto-projects in general. 


If a token “gives investors certain rights in the issuer company” or its “value is tied to the future profits or success of a business”, then it falls under the definition of security, and is subject to the regulator’s supervision, the Estonian Financial Supervision Authority (EFSA) stated. Anyway, the Baltic watchdog adheres to a substance-over-form principle, and each business model is assessed on a case-by-case basis. 

The Estonian Securities Market Act (SMA) applies to security tokens. The first assessment that must be made refers to whether or not the STO is deemed to be considered a “public offer”. An STO isn’t a public offer if:

  • it addresses qualified investors only; or
  • it addresses less than 150 non-qualified investors per Contracting State;
  • each investor acquires securities for a total consideration of 100,000+ euros each; or
  • each token has a value of 100,000+ euros; or
  • the total consideration of the STO is less than 2.5mn euros per all the Member States of the EU. 

If the STO falls within the category of a “public offer”, a prospectus must be prepared and registered with EFSA. Of course, the EU Prospectus Regulation (and its exceptions) applies.

Under the law, EFSA decides on the approval of a prospectus within 20 working days. It’s true, however, that 3 to 6 months could be necessary to complete the procedure. 

In some cases, the Investment Funds Act may apply to an STO, for example, if the investors’ capital is raised to further invest it, per the issuer’s investing policy, for the benefit of the investors. If this is the case, a fund manager authorisation is mandatory. 

Other pieces of law (such as the Advertising Act, the Law of Obligations Act, just to name a couple of them) could apply to the project, together with the legal provisions in terms of anti-money laundering and counter-terrorist financing. 

Because of its legal framework, Estonia doesn’t seem the best place to run an Equity Token Offering. Still, for other tokenised securities, the country offers a fair business environment and a reliable relationship with the regulator. 

For the sake of completeness, it’s necessary to add that a utility token might be converted into a security token. Under the Estonian regime, this would be possible by granting the initial STO’s investors with a loan agreement, under which they would be entitled to receive any interest from the issuer’s profits. When selling their security tokens in a regulated secondary market, the initial investors will also sell the loan agreement, under the Law of Obligations Act. 

I believe that Estonia would deserve much more attention from the Blockchain community, and not only in light of the favourable regime applicable to issuers of utility/payment tokens, providers of custodial services and managers of crypto-exchange platforms. The country is seventh on our Blockchain Compliance Rank, with a score of 7.87/10.


The Liechtenstein Blockchain Act led many players on the Blockchain scene to start their businesses from Liechtenstein. Not only the regulatory framework applicable to security tokens appears to be fair and transparent, but, in our experience, communications with the Financial Market Authority (FMA) are efficient. The local law recognised dematerialised securities for almost 100 years, which supports the technological-agnostic approach of the law.

Further, it must be noted that several banks in Liechtenstein expanded their services and offer trading and custodial products for crypto assets to their customers. 

While there are many exceptions, a prospectus is required before a security token is offered to the public or is admitted to trading on a regulated market. 

To have an STO approved by FMA, a timeframe from 3 to 5 months must be taken into account. It also includes the time to incorporate a new legal entity in the country and collect the preliminary documents and information needed.

7.55/”Very safe” is the score given to Liechtenstein by our Blockchain Compliance Rank.


According to the Swiss financial regulator, FINMA, security tokens might represent assets such as debt or equity claims against their issuer. To be precise, FINMA uses the term “asset tokens” instead of “security tokens” but, for ease of reading, I will still refer to them as “security tokens”, mainly because, once a token qualifies as an asset, it is classified as a security under the Swiss law. 

Starting from the 1st of January this year, the Swiss Financial Services Act (FinSA) came into force and significantly changed the security tokens’ legal landscape.

Any activity which leads to the sale or purchase of a financial instrument by a customer falls within the category of “financial services”. Under the FinSA, those who provide financial services must segment their customers. Based on such an activity, the financial service provider must provide its customers with different levels of protection and information. Further, financial service providers will be subject to specific rules of conduct and information obligations. Plus, adequate organisational measures must be put in place to identify and avoid conflicts of interest. 

Financial service providers must also register with an ombudsman, and civil liability insurance is compulsory under specific circumstances.

Since recently approved, the practical implementation of FinSA is still unclear. Nonetheless, issuers of security tokens must consider its obligations that may have to face. 

Swiss STOs may not only fall within the obligations set by FinSA. Each STO must be analysed to assess whether or not it triggers other law provisions, such as banking, securities dealers’, contract, corporate and data protection legislation.

Licensed crypto-exchanges are entitled to offer services in the areas of trading, clearing, settlement and custody of crypto-based assets, which include security tokens as well. 

Switzerland is third on our Blockchain Compliance Rank. With its score of 8.16, the small country is considered “very safe” for crypto-businesses. 

Is it possible to open a security token exchange in Europe?

In my opinion, the issuers of security tokens face two kinds of constraints. The first one refers to the compliance burden: to issue a security token requires an adequate level of compliance, that means time, effort and investments. The second matter is a still too small secondary market. When the security token is issued, to exchange it is still a problem, because just a few exchanges are equipped to list security tokens among the pairs they support. Which leads me to the question I’ve been asked several times during the last months: is it possible to open a security token exchange in Europe? The short answer is, “Yes, it’s possible”. Let’s analyse this topic further.

A security token exchange in Europe requires the obtainment of a Multilateral Trading Facility (MTF) license, under the MiFID II, the Market in Financial Instruments Directive. Quite similar to the US-“Alternative Trading System” (or ATS), an MTF is (article 4.1(22) MiFID II):

“a multilateral system, operated by an investment firm or a market operator, which brings together multiple third-party buying and selling interests in financial instruments – in the system and in accordance with non-discretionary rules – in a way that results in a contract.”

The authorisation to operate an MTF is issued by the member state’s regulatory authority and implies the compliance with the requirements provided for in MiFID II. 

Which are the requirements to obtain an MTF license? Below are some high-level requirements that must be met by MTFs. The idea of this article is to highlight what it takes in regards to regulations to operate an MTF in Europe but please note that the list isn’t exhaustive, and you must seek professional advice before taking action. 

An MTF must establish and enforce adequate policies and procedures to:

  • ensure compliance with the applicable regulation;
  • prevent conflicts of interest;
  • ensure continuity and regularity in the performance of its services;
  • avoid undue risks;
  • guarantee the soundness of its administrative and accounting procedures and internal control system;
  • safeguard its clients’ ownership rights

Further, an MTF must, among other things:

  • establish rules and procedures for fair and orderly trading and efficient executions of orders;
  • establish regulations regarding the criteria for determining which financial instruments can be traded under its platform;
  • identify and address the risks connected with potential conflicts of interest;
  • establish rules and procedures in terms of resilience of its systems;
  • provide the relevant regulator with a detailed description of its functioning.

Being an investment firm, an MTF is also subject to stringent capital requirements. 

Even when all these (and other) requirements are met, the MTF license can’t be granted unless the firm has “sufficient initial capital having regard to the nature of the investment service or activity in question”, article 15, MiFID II says. 

Such small insights are enough to understand how high is the barrier of entry but, given the fact that STOs in Europe are gaining more and more traction, an enormous potential for companies who are capable of being licensed as MTFs.

Be the first to share your opinion!

Your email address will not be published.


Contact us

Would you like to implement a Blockchain solution for your business? Tell us what you have in mind and one of our consultants will soon get in touch with you!