In the context of enhanced interest in digital financial services technologies, Luxembourg’s financial sector regulator (the CSSF) has recently published a white paper named “Distributed Ledger Technologies & Blockchain – Technological Risks and Recommendations for the Financial Sector” (the DLT Paper).¹ The DLT Paper is the continuation of the CSSF’s approach to foster financial innovation while remaining technologically neutral and is intended to initiate an open dialogue with market participants.

The DLT Paper, stated to be nonbinding, aims at guiding professionals in their due-diligence process related to the use of Distributed Ledger Technologies (DLT), with a particular focus on the risks associated with DLT.

1.    DEFINITIONS OF DLT

Under Luxembourg law, there is currently no specific definition of DLT. The Luxembourg law of 1 March 2019, amending the Luxembourg law of 1 August 2001 on the circulation of securities (the 2001 Law), simply refers to “secure electronic recording devices, including distributed electronic registers or databases”.² In contrast, the European Commission’s draft pilot regime for DLT-based market infrastructures³ (discussed in greater detail below) defines DLT as “a class of technologies which support the distributed recording of encrypted data”. The CSSF recognizes that the elaboration of a definition of DLT is a moving target because of the numerous developments around it. On that basis, the DLT Paper proposes key common characteristics and main types of DLT.

2.    KEY COMMON CHARACTERISTICS OF DLT

In the DLT Paper, the CSSF identifies two key elements that distinguish DLT from distributed databases, which in turn have been known for decades and are instrumental to the rise of cloud computing and virtualization of websites that use distributed databases with multiple clusters of geographically distanced nodes.

2.1    Use of consensus mechanism through the network of nodes

In a DLT environment, the nodes must reach a consensus among each other to validate new data entries by following a set of predefined rules. The consensus mechanism, determining whether a new transaction on the DLT is legitimate or not, is specified in the algorithm that defines the distributed ledger. The consensus mechanism prevents the network from being hacked or misused and allows for the achievement of trust and security in a decentralized computer network.

2.2    Ensuring immutability, nonrepudiation, and authorization

The use of DLT ensures a transaction to be immutable (that is, once a transaction is validated by the nodes and added to the DLT, it can no longer be retroactively altered or amended without a consensus of the participants under the relevant method used). A transaction or message accepted in the DLT is deemed to be authentic and shared with everyone (that is, participants of the DLT cannot deny that authenticity or claim not having received that transaction or message). The authorization feature is implemented by the use of public and private key pairs during the validation process.

3.    TYPES OF DLT

Without seeking to promote any particular technology, the CSSF distinguishes among different types of distributed ledgers depending on (i) their access rights features (that is, public or private, restricted or unrestricted distributed ledgers), (ii) their validation rights features (that is, permissioned or permissionless distributed ledgers or types of nodes with growing validation capacity), and (iii) the consensus methods used.

4.    IDENTIFYING THE RIGHT TYPE OF DLT FOR A PROJECT

The CSSF uses different examples to illustrate the potential of the use of DLT by financial market participants. These use cases include:

• The operation of an anti-money-laundering/know-your-customer data management system to avoid duplications of data collection and verification efforts; 
• The fast, automatic, and secure processing of payments and the transfer of funds and other crypto-assets (such as stablecoins denominated in a fiat currency), without using intermediaries such as clearing and settlement systems, and correspondent banks; and   
• A DLT-based distribution platform allowing the tokenization of shares or units in investment funds, to which investors can subscribe and redeem such shares or units through a web or mobile application.

5.    RISK CONSIDERATIONS

The CSSF uses a large part of the DLT Paper to elaborate, in the form of questions and answers, on the risks it considers to be associated with the use of DLT and which financial market participants should consider when contemplating the use of DLT. These risks centre around:

• Governance aspects (relating to the DLT strategy of a supervised entity, how changes at the DLT level can potentially impact the continuity and validity of the business, and legal and contractual points);    
• DLT-specific technical risks (relating to the distributed ledger design, node management, smart contracts, and key management); and    
• Traditional information and communication technology risks (relating to governance (such as outsourcing and concentration risks), continuity and resiliency measures, and security and cybersecurity risks).

6.    DLT FINANCIAL INSTRUMENTS ON SECURITIES OFFICIAL LIST OF THE LUXEMBOURG STOCK EXCHANGE

Almost simultaneously with the publication of the DLT Paper, the Luxembourg Stock Exchange (LuxSE) announced that it will allow “DLT Financial Instruments”⁴ to be registered on its Securities Official List (SOL)⁵ and that it has admitted three security tokens governed by French law and issued natively on the Ethereum and Tezos public blockchains, respectively, by affiliates of Société Générale on 31 January 2022. Registration on the SOL gives DLT Financial Instruments enhanced visibility and their issuers the opportunity to communicate an indicative price and relating data of such instruments to their investors. Registration on the SOL does not, however, qualify the DLT Financial Instruments for admission to trading on one of the two LuxSE’s markets.

In order to be registered on the SOL, a DLT Financial Instrument must satisfy the requirements of the LuxSE’s guidelines for the registration of DLT Financial Instruments onto the SOL (the LuxSE Guidelines).⁶ In particular, DLT Financial Instruments must consist, for the time being, of debt instruments within the meaning of items (II) and (III)⁷ of the definition of “Securities” in section 2 of the LuxSE Rulebook SOL that meet the following criteria:⁸

• Debt instruments offered exclusively to Qualified Investors (as defined in the Prospectus Regulation) or issued in a denomination per unit that amounts to at least EUR 100,000;
• Debt instruments, the issuers of which have previously issued securities in capital markets or issued by applicants having a proven track record in capital market transactions; and    
• Debt instruments, the pricing of which is done in fiat currency.

LuxSE requires certain information on the DLT Financial Instrument to be provided via an information notice, covering, among other things, (i) a contingency procedure in the case of a failure of the DLT; (ii) the payment process, if that process contemplates the transfer of Settlement Tokens;⁹ and (iii) environmental considerations for the DLT used.

7.    DLT-FRIENDLY LUXEMBOURG LEGAL FRAMEWORK FOR THE ISSUANCE AND SAFEKEEPING OF SECURITIES

The DLT Paper ties in to the already existing Luxembourg legal framework regarding the issuance and safekeeping of securities by using the DLT technology:

• The 2001 Law has been amended by the law of 1 March 2019 to provide for (i) the maintenance of securities accounts and (ii) the transfer of securities by way of crediting and debiting of securities within or through secured electronic registration mechanisms including distributed electronic ledgers or databases;
• The Luxembourg law of 6 April 2013 on dematerialized securities has been amended by the law of 22 January 2021 to provide for the issuance of dematerialized securities into a securities issuance account that may be maintained, and the registrations of securities may be carried out, within or through secured electronic registration mechanisms including distributed electronic ledgers or databases; and
• In March 2020, the function of a virtual asset service provider (VASP) was introduced in the Luxembourg law of 12 November 2004 on the fight against money laundering and terrorist financing, as amended (the 2004 Law).¹⁰ 

8.    DLT IN THE EUROPEAN CONTEXT ¹¹

In the broader (European) context, as part of the European Commission’s digital finance strategy,¹² it is important to note two ongoing initiatives that were launched in September 2020:

8.1    Markets in crypto-assets regulation (the MiCA Regulation)

The draft MiCA Regulation¹³  aims to create a harmonized framework within the European Union (EU) for the issuance, application, and provision of services in crypto-assets. It is the first legislation of its kind within the EU and seeks to effectively address crypto-assets that are currently not covered by the EU’s regulatory perimeter.

8.2    Pilot regime for DLT-based market infrastructures (the DLT Pilot Regime)

The proposed DLT Pilot Regime¹⁴ aims to enable market participants to operate a DLT market infrastructure (either a DLT multilateral trading facility or a DLT securities settlement system) by establishing clear and uniform operating requirements for the use of DLT in a decentralized setup rather than through a centralized structure, as is currently the case. The overall objective is to remove regulatory hurdles to the issuance, trading, and post-trading of financial instruments in crypto-assets and for regulators to gain experience on the application of DLT in market infrastructures. This, in turn, could lead to efficiencies in the trade and post-trade areas and drive down costs to the benefit of investors.

As of today, the draft DLT Pilot Regime is at a more advanced stage than the draft MiCA Regulation, since the European Parliament has voted amendments (published on 5 August 2021)¹⁵ to the initial proposal of the DLT Pilot Regime. The European Parliament proposes to include within the scope of the DLT Pilot Regime all financial instruments listed in Section C of Annex I of MiFID¹⁶ with the exception of depositary receipts that are issued, recorded, transferred, and stored using a DLT. In the European Commission’s initial draft, the scope of the DLT Pilot Regime was limited, in particular, to securities similar to shares and bonds that are issued, recorded, transferred, and stored using a DLT.