How to Approach Legal Strategy for Your Web3 Project: a Playbook

Welcome to our Legal Strategizing Playbook for Web3 Builders. This resource guides builders through the ins and outs of the crypto regulatory landscape and explores how best to build a legal strategy for a Web3 project in 2024.

In this playbook, we’ll guide you through the three stages of building your very own legal strategy, with guidance on some of the best practices and the very first steps you should be taking. We want to provide a playbook for builders to help them figure out the high-level legal strategy for their Web3 projects, either along a centralized or a decentralized route. Look out for other important guides and resources, linked throughout this playbook, to help you understand how to build a progressive decentralization roadmap for protocols and how to choose a VASP/CASP regime for dApps.

Before we dive in, let’s first look at why it’s important to create a robust legal strategy for your Web3 project. We’ll then assess the recent regulatory developments that the Web3 market has experienced over the last few years and which have helped us to develop this playbook.

Why legal strategizing for Web3 projects is important

When it comes to building a Web3 project many questions arise on the builders’ side. The following statement neatly sums up the position of many builders:

“We are flexible in our approach to building tech, therefore we need to figure out regulatory requirements first to be able to build a protocol that will be “compliant by design”. However, the current global regulatory environment for Web3 is very complicated, so where do we even start?”

This statement is promptly followed by a series of questions along the lines of “What if we do this?” or “Are we allowed to do that?”

It’s quite difficult for builders to figure out the legal consequences of their activities based on the current state of the regulatory environment in crypto. Furthermore, even after initial legal research of one question or even 10 of the most critical questions is complete, many Web3 builders ask themselves “What did I miss?”, “Have we overlooked something?”, and “Is there anything that could come back to bite us later on?”.

Builders’ concerns and queries are quite justified: if something is missed in the early stage of building a project it might result in a future filled with unwanted surprises, like unpredicted costs, delays, and even exorbitant fines and charges for non-compliance from regulators who are quick to sniff out non-compliance. So the question then becomes: “How can a Web3 builder predict all these matters and be aware of all these potential issues and future risks in the complex and complicated environment of global crypto regulations? And how can builders do so without spending a small fortune on lawyers and waiting forever for their legal memorandums?”.

Our suggestion is to use a “general-to-specific” approach where the first step is to figure out a long-term legal strategy and after that to dive deeper into the details. And in this playbook, we are going to show you how we do that.

Recent crypto regulatory developments to take into account when building a legal strategy for Web3

The year of 2023 was very “productive” for regulators when it came to crypto market regulations. Actions undertaken by regulators in 2023 built upon a wave of new laws, frameworks, and recommendations introduced in the past decade. In 2023, Web3 projects experienced a continued introduction of regulations on both an international (global) level and on a local level. International regulations included:

• The FATF, the Financial Action Task Force, introduced the Travel Rule according to which financial institutions and VASPs must collect and share information about the beneficiaries and originators involved in digital fund transfers to fight money laundering and terrorism financing via cryptocurrency. 
• New rules were introduced by the OECD, the Organisation for Economic Co-operation and Development, namely the Crypto-Asset Reporting Framework (CARF) and Amendments to the Common Reporting Standard (CRS), to enhance tax transparency regarding financial accounts and crypto-assets on a global scale. These rules require the automatic reporting and exchange of taxpayer information between countries.
• IOSCO, the International Organization of Securities Commissions, issued policy recommendations regarding DeFi, with IOSCO Chair and Chief Executive Officer of the Securities and Futures Commission (SFC) of Hong Kong, Ashley Alder, stating “DeFi is a novel and fast-growing area of financial services, and this report outlines key areas of concern for IOSCO.” The report concluded that DeFi services mimic traditional finance but enjoy much looser regulation, posing higher risks for investors. The Report also questioned the claim that DeFis are fully decentralized without centralized control.

With global regulators making hugely impactful statements and reports on Web3, local regulators began to implement the sentiments behind these recommendations. For example, the UK implemented the FATF’s Travel Rule, and Singapore implemented the CARF by the OECD.

In addition to this, local regulatory developments have been taking place at a somewhat rapid speed, including:

• MiCA (Markets in Crypto-Assets Regulation) in the EU, which introduces a brand new legal framework to try to establish consistent EU market guidelines on crypto assets.
• Hong Kong's Securities and Futures Commission (SFC) has proposed new rules for virtual asset trading platforms and established a Task Force on Promoting Web3 Development, chaired by the Financial Secretary, that is set to run for two years. 
• BaFin, the German regulatory authority, unveiled a series of objectives to enforce tighter regulations on DeFi while safeguarding consumers from potential risks.

These are all examples of “principles-based regulation”, an approach that has been used by many open-minded regulators. Unfortunately, there were many cases of “regulation by enforcement”, with the United States taking the lead with this approach. Consequently, we’ve seen an endless stream of cases brought by the SEC, the U.S. Securities and Exchange Commission, and CFTC, the Commodity Futures Trading Commission, against many Web3 businesses. Cases that spring to mind include the SEC against Kraken and Coinbase, where many tokens were qualified as securities; the case of the CFTC against OoKi DAO, where DAOs were qualified as unregistered entities; and of course who can forget one of the biggest cases in the history of anti-money laundering, with FinCEN securing the largest settlement in US Treasury history against Binance.

These huge numbers of regulatory updates and regulatory enforcement actions taken by regulators make the whole development of Web3 regulation heavily one-sided. It places a big regulatory burden on Web3 projects, especially for those in their very early stages, as most of these regulations are new and require various legal and compliance works from the projects’ side. However, it’s not all doom and gloom; from another point of view, it’s promising to see such a notable global regulatory trend taking place, as this affirms that the market is becoming more mature and clear rules of the game are needed to protect all the stakeholders of the crypto market.

Adopting a unified approach to regulating crypto

Another important outcome of the recent crypto regulatory developments is the feeling that the regulators of different countries—and the global policy-making bodies—are one step closer to achieving a consensus on a global level for regulating crypto. As many Web3 projects are borderless and can therefore be accessed by any user from any country, it is a huge administrative burden for Web3 projects to figure out the different regulatory approaches of different countries, and pay the costs to stay compliant. If, on the other hand, a more unified approach for crypto regulation is implemented, then this will result in much easier adoption and scaling of global markets for Web3 projects.

Taking into consideration the recent regulatory developments and the efforts of reputable policy-making bodies, two key observations can be made:

1. The different regulatory approaches should be used for regulating different layers of Web3 projects. Industry players like venture fund a16z crypto have already talked about regulating dApps, not protocols. The Crypto Council for Innovations, an organization based in Canada that aims to form a global alliance to advance crypto regulations, has published a DeFi framework that explores the key elements for creating effective regulatory frameworks for DeFi projects. For example, one of the report’s key points includes the promotion of principles for building effective and fair regulations, such as following the principle of “‘Same Activity, Different Risks, Different Regulation BUT Same Regulatory Outcome’”.
   
   
2. If the Web3 project is sufficiently or fully decentralized, then it should be treated as a public good (in economics this means a good that is both non-excludable and non-rivalrous) and should fall outside the scope of crypto or virtual asset regulations. The U.S. SEC first described the concept in 2019, and, since then, various industry voices have proposed possible routes of sufficient decentralization for Web3 builders.

How to build a legal strategy for your Web3 project

We suggest building your legal strategy for your Web3 project by starting with these three key questions:

1. What are you currently working on, a protocol, a dApp, or both?
2. If building a protocol, what is the current state of decentralization; if building a dApp, what is the existing functionality of the dApp? 
3. What is the long-term strategy of the Web3 project in terms of ownership and control? Do you plan to keep it centralized and under the control of the developers or do you plan to structure it as fully decentralized?

The answers to these questions can help Web3 builders to get a high-level preliminary understanding of whether their Web3 project will or will not fall within the scope of VASP / CASP regulations.

Why are these questions important? 

The answers that these questions produce can hugely affect all other matters of the Web3 project, including promotion activities, software architecture, user acquisition campaigns, tokenomics, etc. The absence of this understanding might create a lot of unwanted “surprises” in the future, like the requirements to obtain licenses, introduce KYC for users, restrict some promotion activities, or—if some of these activities have already been done—it may even result in fines and other regulatory punishments and charges.

Therefore Web3 builders must set up their legal strategy at the earliest convenience to proactively stave off unpredicted costs, delayed release, and risks of non-compliance in the future.

Use the flow diagram below to explore different Web3 legal strategy routes.

Deep diving into the playbook for Web3 Legal Strategizing

Now that we’ve outlined the basic steps, let’s look in more detail at each of the three stages.

Stage 1: figure out what you are working on

The first question for building your legal strategy is related to the clarification of the moving parts (technical layers) of your Web3 project, each of which should be legally structured. So, what are the technical layers of Web3 projects?

Finding the answer to this question takes a little time, and we’ve built a separate guide to help: Differentiating DLT, Protocol, and dApp for Proper Legal Structuring of a Web3 Project. This guide assists builders with distinguishing the different layers of their Web3 project from each other. The main thesis of this guide is that each technical layer of a Web3 project (the DLT, the protocol, and the dApp) has a different risk profile and—as a result—has a different legal qualification. This means each layer requires a different scope of compliance work. 

We recommend spending some time exploring the guide differentiating the three layers of your Web3 project to correctly answer the first question of how to build a correct Web3 legal strategy.

Stage 2: analyze and assess the state of decentralization and functionality

This second stage of the playbook is related to the state of decentralization when speaking about the “protocol” layer of the Web3 project and the functionality when speaking about the “dApp” layer of the Web3 project. To undertake an analysis, and effectively perform a self-assessment, against these questions, we’re now working on two separate guides to help you:

1. The “Decentralization Test” for Web3 Protocols;
   
2. VASP / CASP Functionality Playbook (Test) for dApps: publication date TBA (click here to get notified).

Stage 3: decide the long-term strategy of ownership and governance

Now that you have successfully analyzed and evaluated your protocol or dApp against the decentralization and functionality tests, you can now face the final question. 

How do you, the founder / builder of your Web3 project see the long-term strategy for your project when it comes to ownership and governance? Do you want to retain control and ownership over your Web3 project or do you want to make it fully decentralized?

Once you have your answer, it’s time to move on to the next step.

Building a tactical legal roadmap

If your team has made a strategic decision to keep control over the Web3 project, then it’s time to start thinking about and planning the tactical legal works to support this decision. 

Your task list will likely include VASP / CASP authorizations, KYC checks, and other compliance measures, as well as reporting procedures. It’s very important to take this strategic decision seriously, as all further tactical steps will be made based on this decision. As a result, it will impact not just legal works, but also all other areas of the Web3 project, including the UI / UX, business model, user acquisition, promotion activities, etc.

If the team has made a strategic decision to develop the Web3 project as fully decentralized, then a different tactical roadmap of legal works should be structured. As it’s almost impossible to build a Web3 project that will be fully decentralized from day one, the concept of progressive decentralization could be used for achieving a level of full decentralization as a step-by-step process. This also results in the matters of tokenomics and token legal structuring for the protocol to be able to incorporate an incentivization model, as well as to structure token-based governance. Regarding the governance matters of the protocol, the DAO might be needed for the protocols, which at an early stage of their development, are semi-permissionless and quasi-autonomous. This means that DAO legal structuring (the legal wrapping of the DAO) should be included in the legal roadmap for the decentralized project as well.

📚 Read more: Progressive Decentralization: a Legal Playbook for Web3 Builders

Towards a future of legal strategy and structuring for Web3 projects

There are different crypto asset-related activities that fall under different types of regulations. Among them are crypto trading, crypto custody, crypto processing, virtual asset investment management and advice, and virtual asset issuance. If your team plans to launch a centrally owned and managed crypto project (controlling users’ funds, collecting and distributing fees, deciding on profit distribution), then it’s better to start preparing to comply with VASP / CASP and be ready to incorporate KYC, to follow reporting requirements, etc.

For Web3 teams who are building decentralized permissionless protocols, the main question is how to structure the development, ownership, governance, interfaces, monetization, and other parts of the protocol in a way where the level of decentralization of the project will be sufficient enough to achieve the state of “public good”. This might reduce the risks of non-compliance for such protocols and even result in the case where regulators will arrive at the conclusion that such “public good” protocols are outside the scope of crypto regulations. Note that this is still an evolving process and more regulatory guidance will likely come in the future.

Of course, it’s impossible to build a fully / sufficiently decentralized project from scratch (from day one) or to obtain CASP / VASP licenses in all global markets simultaneously. However, having a long-term strategy for the project will help to build a roadmap for the project’s compliance and legal structuring: either in the form of “progressive decentralization" decentralized Web3 projects) or in the form of the roadmap of legal authorizations and licenses (for centralized Web3 projects).

Therefore, depending on what you are working on whether it’s a protocol, a dApp, or a combination of the two, check our article with the decentralization test to help you define how the long-term strategy for your Web3 project might look like when it comes to legal structuring and compliance.

Define your Web3 legal strategy with Legal Nodes

Figuring out the Web3 legal structuring scene is already proving to be quite the challenge for builders, founders, and organizations worldwide. Legal strategizing provides a different approach, allowing for the right legal structuring to be applied to each unique element of the project.

At Legal Nodes, we help builders correctly assess their project’s legal needs and find the best solutions for building robust, optimal, and forward-thinking legal structures. We can help you to:

• Figure out exactly what type of project you’re working on, and–specifically–how it will be perceived from a legal perspective (regulators, legal systems, etc.)
• Analyze and assess the state of decentralization and functionality to better understand the legal implications, limits, and opportunities that apply to your project
• Explore the long-term outcomes on decisions made on the governance and ownership of your project

We’ll provide you with guidance on where to start with your legal tasks and you’ll be able to get all your legal tasks completed by experts situated in crypto-friendly jurisdictions around the world. Speak to us today to get started.