DLT and Blockchain Technology │CSSF White Paper

BACKGROUND

As a global financial centre, Luxembourg has traditionally been amongst the frontrunners in bringing financial innovation under its regulatory umbrella. This again seems to be the case with regard to blockchain technology and digital assets too. Already in 2019, the Grand Duchy had legislation in place referencing blockchain technology at a time when the proposal of the Markets in crypto assets Regulation (“MiCA”) was still under preparation by the European Commission.

On 21 January 2022, the CSSF released a White Paper titled “Distributed Ledger Technologies & Blockchain – Technological Risks and Recommendations for the Financial Sector” (“the White Paper”). The aim of the White Paper is to guide professionals in their due diligence process, if they wish to make use of distributed ledger technology ("DLT") in Luxembourg's financial services sector. The document is non-binding, and the CSSF emphasised that it remains technologically neutral but open to accommodating technological innovation if its risks are assessed appropriately.

SCOPE OF THE WHITE PAPER

1. Definitions and Characteristics of DLT

DLT is a rapidly developing technology and as such, its definition remains fluid. Therefore, the CSSF refrained from using previous definitions by EBA in its July 2018 report or by the European Commission in its “Pilot regime for DLT market infrastructures”. Instead, for the purpose of the White Paper the following definition was adopted:

“DLT is a technology allowing a network of independent and often geographically dispersed computers to update, share and keep a definitive record of data (e.g. information, transactions) in a common decentralised database in a peer-to-peer way, without the need for a central authority.”

The CSSF further elaborated on the above definition by setting out a useful list of common characteristics by which DLTs can be identified, namely:

• the use of a peer-to-peer consensus mechanism through a network of nodes to ensure that transactions are legitimate. In this manner, local additions to the decentralised ledger are validated through the consensus of all nodes, and 
• the use of cryptography to ensure:

1. Immutability, making it impossible to retroactively alter a transaction,
2. non-repudiation, making it impossible to deny the authenticity of the transaction and
3. authorisation, making sure that users initiate transactions using their dedicated public and private keys.

In addition to the above characteristics, the CSSF identified various different types of distributed ledgers classified according to their key properties: e.g. access rights (public vs private and unrestricted vs restricted), transaction validation rights (permissioned vs permissionless/semi-permissioned) and consensus mechanisms. 

2. Use Cases and the DLT Ecosystem

The White Paper is more than just a cautionary tale about the risks of DLT. Prior to presenting the various risks associated with DLT, the CSSF first describes the impact that a chosen DLT can have on a given project and gives an overview of sample DLT applications which the CSSF has observed over the year – so-called "use-cases".

According to the CSSF, decentralised ledgers could prove to be a solution for streamlining KYC processes, improving payment services and asset transfers, and developing more efficient fund distribution platforms.

There is already an ecosystem of various upstream and downstream actors developing such solutions. In order to facilitate governance of this new sector, the CSSF identifies these different actors as:

1. DLT Developers
2. Infrastructure Service Providers
3. Solution Providers
4. Users/End Users 

LEGAL, GOVERNANCE AND TECHNOLOGICAL RISKS OF DLT

The White Paper concludes by highlighting to industry participants that current risk assessment standards need to be adjusted to different DLT architectures. The risks highlighted by the authority fall into the categories of governance, legal risks and technological risks.

1. Governance

The CSSF encourages financial service providers to weigh the risks against the benefits of the use of DLT before opting for the technology. Furthermore, it emphasises the importance of choosing a DLT model that fits with the regulatory requirements of the business.

2. Legal Risks

Secondly, the authority encourages entities using DLT to stay up-to-date with required licences, define clearly who is responsible for malfunctions of the technology, instate dispute resolution mechanisms and formalise smart contracts used by the entity.

3. Technological Risks   

Finally, financial service providers should mitigate risks related to the design of the distributed ledger, safeguard the privacy of users and ensure satisfactory smart contract and node management.

OTHER DLT DEVELOPMENTS

Along with the White Paper, there have been other developments in the Luxembourgish and European legal framework on DLT and digital assets. As described in a recent newsflash, the Luxembourg Stock Exchange now admits security tokens representing conventional debt instruments to its Securities Official List (“SOL”). So far, three issues of security tokens have been registered on the SOL representing covered bonds issued by Société Générale.

Meanwhile, there has been progress made concerning MiCA, one of the EU’s flagship proposals concerning DLT in finance. On 14 March, the European Parliament voted on a new draft of the regulation, which notably omits language banning Proof of Work based consensus mechanisms.