For Startups

What the New PRC Blockchain Regulations Mean

We find that crypto-media often put “labels” on certain jurisdictions regarding their approach to regulation. As a result, prospective startups are often deterred from entering countries marked “not crypto-friendly.” 

One of the key missions of Legal Nodes blog is to fight misinformation and provide our readers with the most relevant and realistic regulatory updates.

In furthering this mission, we are opening our blog for other legal experts to contribute their expert knowledge. 

Our first legal expert is David Hong, Senior Foreign Legal Counsel at King & Wood Mallesons who, together with his colleagues, has written an article containing an in-depth legal analysis of the new blockchain regulatory regime in the People`s Republic of China (“PRC”) and kindly agreed to share this article on Legal Nodes blog.

This long-read will help you to get an in-depth understanding on the latest trends of blockchain business regulation in mainland China.


What the New PRC Blockchain Regulations Mean


Introduction – the Rise of the ICO

Initial Coin Offerings (“ICO”) hit the global zeitgeist with a bang in 2017. In those heady times a small project team in East Europe with a white paper and a dodgy website could raise millions of dollars in the span of several minutes. The ICO investment phenomenon coupled with the meteoric rise of cryptocurrencies really raised the profile of the underlying distributed ledger and blockchain technologies.

However, along with the market boom came the fraudsters. Bad faith projects were set up by unscrupulous founders that had no intention of building a platform on which the utility of their particular token could be utilized. Rather than seek to revolutionize the world many of these founders clearly had the plan to take the money raised and run.

These bad actors moved the PRC government to take the hardline measures of banning all ICOs and their marketing on 4 September 2017.

Many people think that the PRC government banned blockchain technology but this is clearly not the case. On the contrary, the PRC government has been very supportive of blockchain technology but has been striking hard against illegal fundraising and fraud related to ICOs.

After over a year of reflection, it seems clear that the PRC government policy was sensible. Looking back at how the early ICO projects have progressed is disappointing. Few have delivered any viable product – and those that have delivered a product the result was often mediocre. The failure of most ICO projects to deliver what they have promised has resulted in a significant backlash from investors and the crypto-community.

To Regulate or Not Regulate?

However, the dilemma for government was clear. On the one hand blockchain is a revolutionary technology that will have a major impact on the global economy. On the other hand, regulation is critically important in order to protect consumers and investors. Over regulate and you may miss the boost to your economy that blockchain will deliver; fail to regulate and there will be major fall out from consumers and investors alike.

Malta was the first jurisdiction to provide direct guidance as to the requirements for offering an ICO in early 2018. This guidance was followed up by a Virtual Financial Assets Act that was issued at the end of last year. These regulations provided certainty to both issuers and consumers in terms of what was expected in a coin/token offering. Since Malta, a number of other jurisdictions including Singapore, Hong Kong and Switzerland have released regulations or guidance on crypto-related projects.

The utility tokens issued in an ICO does not easily fit within established asset classes. For this reason, ICOs were seen as an unregulated area of law. The utility token was not quite a security and in many ways seemed to have more in common with a digital asset. Further the utility token may have specific rights; unclearly defined rights or in many cases no rights attached. For this reason, traditional regulations do not neatly apply. In response, and indicative of the conservative approach of many, larger countries, the SEC in the United States of America determined that regardless of whether a token is labeled as a utility or not it could (and likely would) be classified as a security and be required to comply with US securities regulations.

The importance of blockchain and crypto-currencies means that governments faced with the dilemma of being hands off, regulating or prohibiting such activities do need to take decisions. As expected the common ground will be regulation. Blockchain and cryptocurrencies are too big for governments to ignore or treat in a laissez-faire manner. Equally blockchain and crypto-currencies are too big to just prohibit. Governments will not wish to impede the development of these new technologies.

In our opinion reasonable regulation is healthy for a number of reasons. New regulations will provide legitimacy to the market. At its peak, the entire crypto market was still less than the market capitalization of the world’s most valuable companies and now sits at around USD 120 billion – or how much Facebook lost in market capitalization in one day, after announcing 2018 Q2 earnings. Accordingly, although too big to ignore, cryptocurrencies’ current importance can also be easily over estimated. A major factor holding back the growth of cryptocurrency is due to the lack of large financial institutions that can be actively involved due to the uncertainty in regulations and lack of risk mitigation tools. Regulation should enable cryptocurrencies to move beyond the scams of the past and evolve to help fund real world applications in sectors such as fintech, medical data, supply-chain management, etc. 

The PRC government’s move towards regulating rather than the outright ban of 4 September 2018 should be welcomed by the crypto-community and investors alike. The ideology that cryptocurrencies would be a completely free, decentralized and unregulated sector was never likely to survive interaction with government or investors. Regulations brings oversight, provides certainty and if done correctly should support the development of the sector.

Overview of Management of Blockchain Information Services

The Cyberspace Administration of China (CAC) announced on its website on Thursday, 10 January, 2019, that the new Regulations on the Management of Blockchain Information Services (the “Blockchain Regulations”) will go into effect from 15 February, 2019. China first released draft guidelines for these regulations in October 2018. The CAC supervises and manages blockchain legal compliance matters and each province in China has its own cyberspace administration body.

Main Obligations

The main obligations that the Blockchain Regulations set out include:

  1. Requirement for real-name registration of blockchain information service user (“User”) is an individual or organization that uses blockchain information service.
  2. Registration of blockchain information service providers with authorities. Blockchain information service is an information service provided to the public through internet websites, applications and other forms using blockchain technology or systems. The Blockchain information service Provider (“Provider”) is an entity or node that provides blockchain information service to the public as well as entity or organization that provides technical support.
  3. Periodic inspections and meeting safety/security requirements
  4. Compliance with PRC regulations in respect of content and information publications

Filing with the Cyberspace Administration of China (CAC)

Providers as defined above are required to make a filing to the CAC. The definition encompasses public chains, protocols, DAPPs and any other businesses that provide or use blockchain technology.

Please note that under the regulation, only individuals and entities that use or provide blockchain technology are required to make the filing to CAC. Accordingly, businesses which would not constitute blockchain information service companies are excluded from the filing requirement. However, it should be borne in mind that they may need to obtain other relevant licenses for their particular sector as required by PRC law.

Providers must submit the filing to the CAC blockchain filing system within 10 business days from the date of its operation. For existing Providers, they have 20 business days from the effective date of the new regulation (15 February 2019) to submit the filing.

Provider’s name, service category, form of services, application fields and address of the server and other related information must be provided as part of the filing process.

The filing will be approved within 20 business days and a filing number will be provided. The Provider is required to display the filing number on its website or application.

Requirements and Duties for Providers?

The main requirements and duties for Providers provided under the Regulations are:

  1. Technical capabilities must meet relevant PRC standards;
  2. Have the ability to handle illegal content in a timely manner in respect of publishing, recording, storage and propagation of possible illegal content;
  3. Provider shall establish and improve the management systems in respect of User registration, information review, emergency response, and safety protection;
  4. Must develop and disclose management rules and platform conventions, sign service agreements with Users that clarify the rights and duties of both parties and require the User to obey the laws and regulations and the platform conventions;
  5. Provider shall perform real-identity authentication of Users based on national ID number and mobile phone number. If a User refuses to accept real-identity authentication, the Provider shall not provide the related services to the User.
  6. If the User violates the laws and regulations, the Provider must take actions to warn, restrict or close down such accounts and handle illegal content published by the User in order to prevent the spread of information and report this to the relevant authorities after storing such records.
  7. Providers shall cooperate with the supervision and inspection conducted by relevant departments according to the law and provide necessary data support and technical assistance;
  8. Provider shall voluntarily accept social supervision, set up convenient entrance for complaints and reports, and handle public complaints and reports in a timely manner.
  9. Crucially the Provider is obliged to keep records of User information such as contents and logs for no less than 6 months and provide to relevant authorities as required;
  10. Providers will be required to conduct KYC in respect of its Users. This will have a negative impact on anonymity of Users. However, in practice most investors in blockchain projects also need to meet KYC requirements and therefore the actual impact may be less dramatic than expected. In addition, privacy related projects such as ZCash or Monero will likely to continue to operate offshore from China beyond the reach of the Chinese regulators.

If Providers fail to comply with the Regulations they may face warning, suspension of service, fines and even potentially criminal prosecution.

Security Assessment

If the Provider develops or wishes to launch a new product, application or function then this requires reporting to CAC or its relevant local authority to conduct a security assessment. It is unlikely that the security assessment will be purely based on technical aspects of the blockchain but is also likely to assess whether the new product/application or function also complies with existing PRC laws and regulations. In this case it is likely that applications which touch upon taboo subjects in China (e.g. gambling) would not pass the security assessment.

Extraterritorial effect beyond China

“Engaging in Blockchain information services within the PRC” under Article 2 of the new Regulations will apply to foreign blockchain businesses under the following circumstances:

  1. The foreign blockchain business has a legal presence (e.g. has registered a company) in China and operates in the blockchain related sector as defined by the Provider.
  2. There is a licensing agreement or other arrangement that allows an entity in China to run the foreign blockchain business’ blockchain technology or nodes. In such case the party that operates the blockchain nodes or technology in China will have to make a filing with the CAC.

Accordingly, if the blockchain business operates offshore, that is, nodes and all blockchain related business operations are based outside of China then we believe it is still unlikely to be strictly regulated under the Regulations. This is so even if there are Chinese consumers using the technology while geographically located within China. Our reading of the Regulations is that the PRC authorities have alluded to an opening for extraterritorial enforcement but that due to the practical difficulties involved and their track record it is likely that this would only be attempted in the most extreme of circumstances.


The Regulations should give heart to the crypto community that the PRC authorities are evolving their position in respect of ICOs and blockchain away from the hard ban.

In many ways the closest analogy to the Regulations is the PRC Cyber Security Law of 2017. Both pieces of legislation sought to regulate new technologies and both were passed and implemented quickly after an announcement of the draft for public comment.

As was the case with the PRC Cyber Security Law, the Regulations are general but do provide a basic framework for the sector. However, although the trend towards regulation and away from prohibition is clear, it will take time for interpretation and enforcement guidelines to develop. We expect local officials will act conservatively and take a wait and see approach as this area of law continues to evolve.

Disclaimer: the information in this article is provided for informational purposes only. You should not construe any such information as legal, tax, investment, financial, or other advice.

David Hong, Mark Schaub & Stanley Zhou

Legal Nodes Blog

For Startups
Ultimate guide to connecting Virtual Data Protection Officer

Connecting Virtual DPO can greatly reduce start-up’s data protection costs. This article explains who the Data Protection Officer is, why you should consider outsourcing DPO services, and how to pick one that matches the needs of your business....

Legal Nodes Team
Privacy (GDPR)
Cookie Policy: How to Track Website Users Lawfully

The recent study of the Nederlandse Omroep Stichting (the ‘NOS’), a Dutch news media, showed that more than 1,300 Dutch websites violate the privacy of their users. The violation found by the NOS is simple - the users cannot use the websites wit...

Legal Nodes Team
For Startups
Why Your Startup Needs a Founders' Agreement + Template 2021

Founders Agreement – the key step to set clear intentions for you and your partners and to avoid misunderstandings in the future. In a new post on the Legal Nodes blog, we explain what a Founders Agreement is, reasons for your startup to prepare...

Legal Nodes Team
For Startups
Terms of Use that your users will actually read

In this article Legal Nodes Team talks about Terms of Use, how to write them effectively and why you need them in the first place. You could find a FREE template at the end of this article....

Legal Nodes Team
Privacy (GDPR)
How Can You Leverage a Privacy Kit More Effectively?

In this article, Punit Bhatia, a leading privacy expert, shares how small businesses can become privacy compliant by using Privacy Kits in an effective and why just branding the documents and templates in name of your company is not a good idea....

Punit Bhatia
Legal Nodes Updates
Legal Nodes in 2020: A Year in Review

Despite the fact that for many 2020 will be strongly associated with the coronavirus pandemic and lockdown measures, it would be a mistake to forget all the good things that happened this year. Especially when the festive season approaches, and ...

Legal Nodes Team
Privacy (GDPR)
Internet data mining. Is it legal in the EU?

Data mining is the process of collecting and analyzing human-readable data for own purposes. More and more businesses are built on that concept, scientists and medics also use automatically combined data from different sources to spawn predictio...

Ewa Wojnarska-Krajewska
Privacy (GDPR)
11 simple (but complete) steps towards the GDPR compliance in 2020

The GDPR can be a wake-up call to sort out your processes, procedures and technology and thereby run a more successful organisation. Data is now more essential than ever, regardless of your activities or market sector. Not only will efficiencies...

Thomas Hayes
Contract Work
Force Majeure Clauses and the Effect of Coronavirus on Businesses

The coronavirus pandemic has made force majeure clauses one of the hottest legal topics worldwide. To help businesses navigate this issue, we asked Tom Bohills, an English qualified lawyer and the Founder of Chronos Law, to explain the backgrou...

Tom Bohills