DAOs and the law: Securities law


Decentralised Autonomous Organisations (DAOs) are an emerging method for organising community based activities using blockchain technology. In the third of a series of articles exploring legal issues related to DAOs in Hong Kong, Pádraig Walsh and Shirley Kong from the Digital Services and Fintech practice of Tanner De Witt explain how securities law can apply to DAOs and DAO participants.

Key principles

If the substance of an arrangement involved activities that require authorisation or licensed persons, then regulators will pay attention regardless of the form of the arrangements in question. Consequently, DAOs will trigger securities law if the activities of the DAO, or products and services offered by or via the DAO, are considered to be securities under applicable laws.

Regulated activities: A DAO and DAO members could breach applicable securities and financial services laws, if they conduct activities which require a licence or registration without fulfilling those obligations. Relevant regulated activities in Hong Kong that often come into question are regulated activities in respect of securities and futures, payments and stored value facilities.

In the Ooki DAO case in the US, the DAO was effectively operating a virtual asset exchange platform. This operation required a licence which the DAO did not obtain. It was ordered by the Commodity Futures Trading Commission (CFTC) to pay fines, shutdown its website, and became subject to trading and registration bans. A similar outcome could be expected if the same situation arose in Hong Kong.

Authorisation and disclosure obligations: A DAO may be subject to authorisation or disclosure obligations in respect of products or services the DAO offers. This is particularly the case if the offer is in relation to a financial or investment product that is considered a security. Most legislative regimes will require offering documents in respect of securities to contain prescribed information and disclosures, and for those offering documents to be authorised by a competent regulator. Failure to do so may result in substantial fines and enforcement actions.

For example, a person cannot issue a document that contains an invitation to the public in Hong Kong to enter into or offer to enter into an agreement to acquire securities, unless the document has been authorised by the Securities and Futures Commission (SFC). It does not matter where the person issuing the document is located in respect of the commission of the offence (though it would influence enforcement).

Taking an example from the US, Wyoming is the first state in the US to pass a law recognising DAOs as a separate legal entity. The Securities and Exchange Commission (SEC) effectively shut down Wyoming’s first authorised DAO, American CryptoFed DAO, for failure to comply with the disclosure requirements and for making materially misleading statements. Again, a similar outcome could be expected if the same situation arose in Hong Kong.

Decentralised finance

There is a high degree of innovation involved in a number of decentralised finance (DeFi) protocols. Nonetheless, DeFi arrangements still carry many of the same characteristics of traditional financial products and services. DeFi arrangements require people to launch, promote, operate and service them, and this is often performed by a small number of persons with significant influence over the arrangements. These people and DeFi arrangements will still be subject to applicable laws.

Analysing common DeFi arrangements, if the underlying financial product is a security, then:

Issuers of securities could include DEXs offering their own products, crypto-lenders who offer interests in lending pools, and developers or founders of DeFi protocols who directly sell crypto-assets.

Market intermediaries could include DEXs who facilitate products of others, broker/dealer activity in relation to crypto-lending products and other DeFi products, and aggregators who facilitate users to source and use the most favourable market terms.

Collective investment schemes could include liquidity pools and lending pools.

Exchanges could include aggregators and DEXs that facilitate exchange and trading of crypto-assets.

Clearing and settlement could also be conducted by aggregators and DEXs, as indeed could Layer 1 blockchain protocols.

If the relevant arrangement has implications under securities law, then the regulator must approach the arrangement by applying and enforcing the applicable legislative and regulatory framework.

Hong Kong securities law

Securities: In general, securities can be divided into:

(a) equity securities;

(b) debt securities;

(c) interests in collective investment schemes (“CIS”);

(d) rights that convert into or are closely linked to any of the above; and

(e) in certain circumstances, structured products.

There are also certain exclusions from the definition of securities.

Equity securities: The characteristics of equity securities include:

(a) the right to receive dividends or share in the profits of the underlying business;

(b) the right to participate in the distribution of the surplus assets of the underlying business upon winding up; or

(c) the right to vote in respect of matters relating to the underlying business.

Debt securities: The characteristics of debt securities include a right to repay investors the principal of their investment on a fixed date or upon redemption, with interest paid to investors.

Structured products: A structured product includes an instrument for which the return is determined by reference to:

(a) the value of any type or combination of types of securities, commodity, index or property; or

(b) the occurrence or non-occurrence of any specified event or events.

If an instrument is a CIS, then it would not also be regulated as a structured product.

Collective investment schemes

In the context of DAOs, perhaps the most impactful category of securities is that of collective investment schemes. This will be particularly relevant if the DAO is involved in any investment activity.

The characteristics of a CIS include management of proceeds received by the scheme operator to invest in projects with an aim to enable participants to participate in a share of the returns provided by the project. However, the true scope of the definition of a collective scheme is broader, and is worth deeper explanation.

A CIS has four elements:

(a) it must involve an arrangement in respect of property;

(b) participants do not have day-to-day control over the management of the property even if they have the right to be consulted or to give directions about the management of the property;

(c) the property is managed as a whole by or on behalf of the person operating the arrangements, or the contributions of the participants and the profits or income from which payments are made to them are pooled; and

(d) the purpose or effect of the arrangement is to enable participants to participate in or receive profits, income or other returns arising from, or represented to arise from, the acquisition, holding, management or disposal of the property (or any part of the property), or any rights or benefits of the property (or any part of it).

A CIS can be any arrangement. It is not limited to any specific form. Usually, an arrangement is a contractual or non-contractual arrangement in respect of an investment proposition. So, for instance, a DAO could be part of an arrangement.

A CIS must relate to property. Property is not limited to cash or fiat currency. It can include intangible personal property, and property with no intrinsic value, but which is representative of value. Digital tokens are intangible personal property.

One of the hallmarks of a CIS is that participating persons in the scheme do not have day-to-day control over management of the arrangement. In theory, DAO participants should be actively engaged in community decisions and governance. However, it is not enough that participants are consulted, or that they can give directions. In order for an arrangement to fall outside the scope of a CIS, all participants must, as a matter of fact and substance, manage the arrangements on a day-to-day basis. Decisions must be initiated, decided and implemented by them, not a third party.

In colloquial terms, the target is to identify who is or will be “minding the shop” on a day-to-day basis. It may be that the persons involved in a day-to-day basis report to higher authorities, or act on behalf of those higher authorities. However, it is the former, not the latter, who have day-to-day control. On the other hand, if the participants have day-to-day control, then the arrangement is not a CIS. This is a question of fact and substance. The terms of a contract are not definitive.

According to the FAQs on “Offers of Investments” under the Securities and Futures Ordinance (Cap. 571) (SFO) issued by the SFC, “day-to-day control” means routine, ordinary, everyday management or operational decisions. The phrase does not just mean the responsibility to decide what is to happen to the property. Each participant must have day-to-day control of his property. The SFC has not set out specific examples of the decisions in question.

If the participants do not have day-to-day management control, then this qualifying condition for a CIS is fulfilled. It is not necessary to identify the person that has day-to-day management control. It is sufficient simply to show that participants do not have day-to-day management control.

A DAO may be conceived as being decentralised, but it is not without human actors. Some human actors will achieve a level of influence that is significant and becomes a key element of success or failure. The founders and first promoters of a project will often be core service providers to the ecosystem. If the service providers have the discretion to propose, make and implement decisions, then that can amount to a form of centralised authority. Decentralisation will also mean that participants (that is, users) do not have control over the property as a whole.

The marginal input of participants, the performance of administrative tasks, or the right to provide input, do not constitute management. For instance, holders of tokens may perform minor tasks to promote participation in the ecosystem. These activities do not constitute management activities.

Management can also be distinguished from governance. Governance is primarily policy-making and supervision. Management is active decision-making in respect of the managed property, and requires the exercise of control to perform the management function.

The key is to look at the substance of the arrangements. If in substance each investor is investing in property whose management is under his control, the arrangements will not be a CIS. If in substance each investor is getting rights in a scheme that provides that someone else will manage the property, then the arrangements will be a CIS.


Once an arrangement has implications under securities law, one of the first steps of a regulator is to identify the persons who could be responsible for or subject to regulatory obligations in respect of the arrangement. If an arrangement is genuinely decentralised, then it may seem that nobody is responsible or subject to regulatory obligations.

Decentralisation is a governance and systems concept. Decentralisation is based on a set of governance rules and processes designed to obtain and implement community decisions, without a central authority.

Key features of decentralisation should include:

Automation: There should be a high proportion of activities that are automated and conducted by smart contract, without human intervention.

Voting: Any significant or material change or need in the conduct of activities should be decided upon by a voting mechanism that fairly involves and represents the DAO community. Voting, in practice, must have a reasonable level of participation.

Decisions: Allocation of tokens, or other mechanisms that influence decision-making power, should avoid unfair weighting or other features that lead to a concentration of influence. Veto or gatekeeping rights should be minimised.

Communications: Communications should be conducted in a manner to minimise or eliminate information asymmetry or arbitrage. All significant or material communications or discussions should be conducted simultaneously and openly by all in the DAO community.

On-chain: As much activity as practicable should be conducted on-chain.

Decentralisation is not a clearly defined condition. Each of these factors is a matter of degree. A DAO may have some degree of each of these factors, and not be genuinely decentralised. Also, some additional elements may further vitiate decentralisation. For instance, can the operations of a DAO be considered decentralised if a substantial number of tokens are delegated to the same person, or are locked up for staking?

Decentralisation should be present both as a matter of design and practice. At a design level, governance rules may make decentralisation difficult to achieve, if the design of the rules result in concentration of influence and authority. There has not been significant convergence in governance characteristics for DAOs. At a practice level, lack of community participation may result in decisions being taken by a small number of persons. After all, many DAO participants are content to be users, and may not have the expertise, interest or resources to participate in community decisions.

Decentralisation is a condition that is achieved over time and in stages. It is not a box-ticking exercise that is swiftly accomplished. In the recent collapse of JPEX, the unlicensed trading platform, JPEX stated in one peremptory public statement that it was now a DAO, and investors could exchange their investments into JPC Tokens. JPEX claimed that it would repurchase JPC tokens in two years’ time, repaying the investors the entirety of their capital. The JPEX DAO was unlikely to be decentralised in substance. Decentralisation is not a light switch that can be turned on instantly.

Ultimately, many DAO activities are the result of the activities of the persons who create, offer and maintain them. Natural persons are still needed to bring forward proposals for improvement, curate and moderate proposals for change, implement technical changes, and hold and use administrative keys. This may result in a degree of centralisation in respect of the DAO arrangements as a whole. Some DAOs are quite decentralised with a strong emphasis on decision making by token holders who vote on community proposals. Other DAOs are still quite centralised, with decisions being taken and operations conducted by a small number of persons or a central body.

These difficulties are highlighted in the SEC’s July 2017 report on The DAO. The DAO was a decentralised venture capital firm, which sold US$150m DAO Tokens to the public. The investment objective was to invest in digital-asset projects with the aim of distributing returns to the token holders. The token holders could either keep their tokens so they can realise their investment gains later, or convert their tokens into other digital assets on third party platforms. Each token granted its holder a vote in DAO governance matters such as selecting investment projects and distribution proposals. The DAO promoters selected a group of managers called “curators”, who performed security functions and managed governance for the organisation. The SEC concluded that the DAO’s investors relied heavily on the managerial efforts of the promoters and curators to manage The DAO. The DAO token holders did not determine which proposals would make it to a vote nor have sufficient information about a proposal. In effect, The DAO was not decentralised.

It remains the case though that when a DAO becomes progressively decentralised, the DAO is less likely to be considered as a “CIS”. As a network becomes truly decentralised, the ability to identify an issuer or promoter to make the requisite disclosures becomes difficult, and less meaningful.


A regulator is agnostic to the form in which an activity is conducted or a financial product or service is provided. In Hong Kong, if DAO tokens are “securities” within the meaning of the SFO, then the offering and sale of these security tokens require compliance with requirements for authorisation under Hong Kong securities law, and any person who markets and distributes the security tokens to Hong Kong investors would also need to be appropriately licensed to do so. The choice of persons to organise as a DAO does not mean those persons do not have regulatory obligations.

Pádraig Walsh and Shirley Kong

If you want to know more about the content of this article, please contact:

Pádraig Walsh

Partner | Email

Disclaimer: This publication is general in nature and is not intended to constitute legal advice. You should seek professional advice before taking any action in relation to the matters dealt with in this publication. This article was last updated on 24 April 2024.