Sales of non-fungible tokens (NFTs) have soared in recent months. NFTs have been issued by businesses in various sectors, to raise brand awareness, exploit gaming opportunities in the metaverse, and remunerate artists for their creative output. They are also generating interest among major players in the fintech sector, as we’ve seen with Visa’s acquisition of CryptoPunk. Despite recent growth and some monumental sale prices, confusion remains about what NFTs are and the legal issues they pose.
NFTs are digital assets that are typically built on the Ethereum blockchain and freely tradeable. They generally serve as evidence of ownership of virtual (or even physical) assets, but the specific rights that attach to NFTs vary. Whereas cryptocurrencies and most financial securities are fungible, NFTs are unique (in that they are not mutually interchangeable in the same way that cryptocurrency usually is), although the underlying asset represented by the NFT may not be.
For easily duplicated digital content or assets, NFTs offer a way to establish an “original” or “authentic” version. We like to think of NFTs as digital trading cards stored on the blockchain. For example, an e-sports player might make an NFT of the digital “skin” or outfit that their character was wearing when they won a gaming championship. The inventor of the world wide web recently created and auctioned an NFT of the “original” web source code.
Some NFTs incorporate “smart contracts”, for example to fix how interactions with the content can take place. Coding is locked on to the blockchain as part of the token and self-executes when defined events occur. For instance, the smart contract may be set up so that access to the underlying digital asset is only granted following receipt of payment, or so that the original creator of the digital asset receives a payment whenever the NFT is sold on.
Despite rumours that NFTs will by caught explicitly by the Markets in Crypto-Assets Regulation (MiCAR), they are not specifically regulated at the moment. Nevertheless, existing laws and regulations will apply, and there are several commercial and legal issues that any business issuing, trading or exchanging NFTs will need to consider.
Defining the scope of the NFT
Critically, issuers must be clear what rights are being “sold” with the NFT. These could include certifying ownership of an asset, a licence to use intellectual property rights (IPR), or even contractual rights, for example a right to receive or use a particular asset (whether digital or virtual) or to access benefits. Clarity upfront will avoid the issuer giving up unintended rights and potential claims from purchasers alleging misrepresentation of the rights on offer.
Equally, the purchaser of an NFT needs to understand what they are acquiring. For example, if the NFT incorporates smart contract functionality, this will be encoded into it and may not be evident on the face of it. Purchaser due diligence is needed to establish what rights and obligations are being acquired, particularly if they might impact on the current or future value of the NFT and the underlying asset.
What an NFT represents, how much is expected to be generated from selling it, and even whether it is capable of fractional ownership, will largely be driven by the commercial rationale for issuing the NFT. For example, if the value lies in the scarcity of an NFT or the underlying asset, an issuer may want to restrict fractionalisation (and must ensure it can enforce those restrictions), and purchasers may seek assurances in that respect. However, if the NFT or the underlying asset is high-value, fractionalisation of the NFT (without dividing the underlying asset) may open up investment opportunities for those otherwise unable to afford it. Those factors will also determine (for example) the content of any conditions of sale or smart contract and the applicable regulatory framework.
Intellectual property rights
Issuers will want to control tightly purchasers’ use of any IPR associated with an NFT. Selling a claim to a unique piece of content might seem at first glance to be equivalent to an assignment of copyright. But typically, copyright and other IPR will be retained by the issuer, and the buyer will be granted a right to display the underlying asset. Care needs to be given to how and whether IPR is licensed through the sale and subsequent transfer of the NFT, particularly to ensure that the issuer’s valuable brand is protected (including effective remedies if their IPR is misused).
What the purchaser of an NFT will own depends on any coding or smart contract embedded in the NFT (or the terms of sale in a traditional contract format). NFT creators may, for example, set up an NFT to create an automated ongoing payment of royalties or commission on any resale of the tokens. Payment could be automated via a smart contract within the NFT, with the issuer able to track resales since they will be logged on the blockchain where the NFT is held.
Businesses must assess whether their NFT is a regulated investment, security or payment instrument and/or whether offering it for sale, or providing related services such as a custody or exchange plat-form, constitutes a regulated activity for the purposes of financial regulation. Although NFTs are not (yet) specifically regulated, if they exhibit characteristics of other regulated investment units, they may trigger national and supra-national legal obligations. In particular, issuers will need to demonstrate the non-fungibility of any NFT they offer, to avoid it being considered a security token or cryptocurrency, which could be caught by financial regulation (including the upcoming MiCAR).
These regulatory obligations range from “know your client” identification and verification and associated record-keeping and monitoring obligations and other compliance obligations under anti-money-laundering regulations, through sanctions regimes, to much more onerous requirements where securities regimes or other investment laws are triggered. Issuers and service providers will generally be caught by regulation in the jurisdiction into which the NFTs or related services are sold, particularly if offered to the retail market. Given the inherently global nature of these digital assets, multi-jurisdictional analysis will usually be required.
Liability for compliance will sit with the regulated entity and is difficult to pass on. As well as any financial penalties, the reputational risk of non-compliance will be severe.
Aside from financial regulation, businesses must also ensure that any marketing activity in respect of its NFTs is compliant, bearing in mind that several regulators have taken enforcement action in the crypto space, including in relation to advertisements for unregulated crypto that did not adequately highlight financial risks.
Data security and ESG
It is unlikely that the sale of NFTs will involve the disclosure or exchange of significant personal data, so compliance with privacy laws will not be a material consideration. However, the security of data and NFT transactions more broadly will be paramount. Technical teams will need to consider which security and data-sharing standards, and which blockchain protocol (most commonly Ethereum), will be deployed. In addition, there will need to be appropriate technical arrangements in place to ensure the permanence of NFTs and, crucially, any digital assets they represent.
We have discussed the environmental impact of some blockchain systems previously. With environmental, social and corporate governance issues high on the corporate agenda, businesses issuing NFTs, particularly those on Ethereum (a proof of work system), will need to consider whether they align with wider organisational environmental strategy. And, if an NFT falls under the scope of the Sustainable Finance Disclosure Regulation, issuers will have to ensure proper disclosure on their web-site and pre-contractual documentation.
Issuers often engage a third-party technology provider to “mint” NFTs. The “minting” agreement will need to define clearly the scope of the provider’s responsibilities, as well as assurances that IPR and confidential information will be adequately protected (particularly as NFT projects can be commercially sensitive).
Crypto funds will be needed to “mint” NFTs, so businesses should consider procuring an enterprise-grade crypto wallet. Thorough vendor due diligence will be needed to ensure adequate protection is available in case of theft or misappropriation of crypto assets in the wallet.
As well as any agreement with technology partners, the terms on which NFTs are offered for sale to purchasers need to be set out clearly. These will likely take the form of “traditional” legal terms that are accepted by the purchaser at the point of sale, and may be coupled with a smart contract that automates certain aspects. They will need to be drafted in compliance with local consumer protection regulation, which may give purchasers enforcement rights in their home country. Even with well-drafted terms in place, issuers need to be mindful of the practical challenges of identifying potentially anonymous perpetrators who could be located in any jurisdiction, and how disputes will be resolved and judgments enforced.