There’s been a lot of talk about security tokens recently. But what is a security token in the first place? How do they work? And how might they impact your job or business? That is, why should you care about them?
Before diving into the rest of these questions, it makes sense to first start with: what is a security? A security is a fungible (mutually interchangeable) financial instrument that holds some monetary value. Broadly, securities can be categorized as either equity or debt.
An equity security represents an ownership interest in a company (like a share of Apple stock), and a debt security represents money that is borrowed and must be repaid, so the holder is entitled to the payments made on that debt by the issuer (like a corporate bond or U.S. Treasury bond).
What is a Security Token?
Tokenized securities are simply securities with an electronic wrapper around them.The value of this electronic wrapper is that it makes security tokens easier to trade in a way that complies with the appropriate regulations. There isn’t much upside to tokenizing public equities like Procter & Gamble stock because they are already so liquid: Almost anyone can buy and sell them without much of an issue.
You may have a good investment hypothesis that the apartment building down the street is going to appreciate, but you may not have a couple million bucks to put up to buy it — and if you do, you better be really confident because it’s going to be hard to sell. Because it’s difficult to sell (AKA illiquid), it’s worth less- that is, there is an illiquidity discount (usually cited as 20–30% in the academic literature).
There is currently a large amount of capital that would like to invest in illiquid securities like small Real Estate Investment Trusts (REITs) which may own the apartment building down the street from you or small businesses, but in order to do that, they have to lock up their capital for a long time. You can invest in a pizza shop, but there’s no way to get that money out if you need it for anything else: you have to wait until the pizza place is sold or pays dividends.
By contrast, if you want to buy stock in Apple, you can buy a single share for a couple hundred bucks and sell it in minutes if you change your mind. Tokenized securities allow for businesses to lock in funds without locking investors in because the tokens are tradable on a secondary market. The business still gets to use the capital, but investors can exchange shares with each other.
What is the Worth of Security Tokens?
Take, for example, a small, private American REIT: There are restrictions both at the fund level and regulatory level (e.g. less than 50% of shares can be owned by non-Americans, and you must have more than 100 investors to receive favorable tax treatment, but less than 2000 or you have to go public).
In effect, this means that if any of the investors want to trade their shares of the REIT with another investor, they have to call up the fund manager to get permission, and they have to find someone who wants to buy their shares who has been approved to trade by the fund manager as well.
This is a lot harder to do than just logging on to your Schwab or TD Ameritrade account, so today securities like small REITs and shares in a small business suffer from an illiquidity discount. The academic literature places this illiquidity at 20–30%. So if you own 100% of a small business worth $1 million, tokenizing the equity in the company would instantly move the value to $1.2 million.
The major reason for the illiquidity discount, and the benefit from using security tokens, is that these securities can be traded around the world. It is still very difficult for investors to buy securities in other countries. With a token, you could code restrictions into the token, enabling buyers and sellers to trade in a secondary market as long as the trade doesn’t violate the hardcoded restrictions. Tokenizing equity in start-ups probably isn’t that valuable at least today because most start-ups are overfunded rather than capital constrained.
One possible early use case of security tokenization is a local business or franchise that has a proven concept and a few locations, but needs capital to expand. Currently, their funding options are limited. Having a more liquid tokenized security would let them get better funding terms, potentially removing a large chunk of the 20–30% illiquidity discount.
Broadly, you can think about security tokens as “Compliance as a Service.” By coding in compliance at the token level, you allow for more efficient markets with fewer rent-seeking intermediaries.
How Exactly do Security Tokens Work?
At a high level, pretty much all security tokenization companies work the same way: An issuer (like the REIT fund manager or the pizza shop owner) issues a security token which represents an ownership claim in a company. The issuer then creates a whitelist of wallet addresses (usually Ethereum) of investors who are allowed to buy stakes in the company.
All the individuals on the whitelist have to prove that they are compliant with whatever the restrictions are for that particular security. At a minimum, this probably involves complying with KYC (know your customer) and AML (anti-money laundering) laws, as well as proving they are accredited investors.
There is no way a security token protocol can have the regulations of hundreds of jurisdictions baked into it, but the vast majority of regulations can be complied with by restricting who can own the token. This is what the whitelist does.
Issuers can also outsource the curation of whitelists to third party providers including centralized exchanges. The whitelist then serves as a “liquidity pool,” where everyone on the whitelist can trade with each other because they have all been properly vetted.
Issuers will likely allow third party providers to do KYC/AML and due diligence on investors and add them to the whitelist, so that exchanges don’t have to go to issuers every time someone wants to trade their token. This should increase the liquidity of security tokens, making them (and the underlying security they represent) more valuable.
You can trade security tokens anywhere or anyway you want as long as your counterparty is whitelisted. tZero, Blocktrade and Open Finance are some of the first exchanges where individuals and institutions trade security tokens.
There are companies popping up that will help issuers tokenize securities like Harbor. Harbor exists as an oracle, an agent that verifies “real-world” data and submits it to the blockchain. In this case the data is whether the counterparty to a trade is whitelisted.
If you try to trade a security token with some counterparty, then that pings Harbor to make sure that they are whitelisted. If they are, the trade goes through. If not, it throws an error message and you aren’t allowed to complete the trade.
Security tokens are not bearer instruments like most other cryptoassets. Bitcoin is a bearer instrument because if someone gets your Bitcoin private key, they can spend your Bitcoin. Cash is also a bearer instrument — if I drop a $10 bill and you pick it up, you can spend it and I don’t have any way to stop you.
You can’t steal a security token because a token is not the security itself, it is an electronic representation. No one can transfer a token to their wallet unless their wallet is whitelisted, in which case they would have gone through KYC/AML so you would know who they were (and then, I suppose, you could send someone to arrest them).
Another advantage of security tokens is that they will help private companies keep track of their cap tables without an army of lawyers. You would assume in 2018 that this was already done electronically, but it’s still done mostly on paper, which is surprisingly problematic.
There was an infamously messy case in 2013 where Dole Foods thought they had thirty six thousand shares outstanding but investors thought they owned forty nine thousands shares shares.
Why is Server Seeding Required?
More likely it’s a much longer number (likely 128 bits or more) embedded at the manufacturer, who then loads a database into SE’s authentication server containing the SN (or a salted hash of that number) and the seed. Three reasons for this:
- From a security perspective, deriving the seed from the SN means that anyone who knows the hashing algorithm and the SN has everything they need to generate a code.
- Another security concern: The SN is only 10 decimal digits. If this were the seed, you’d have a key space of no more than 10 billion seeds. You could brute-force that on a cell phone. A longer seed would significantly increase the size of that space.
- Blizzard uses the same model token for WoW, but you can’t use a Blizzard token on an SE account or vice-versa. (Source: Two ex-WoW players in the house, you damn well better believe we tried.) This could be a simple server configuration in the form of ‘accept only tokens within this range,’ but depending on what profit margin, if any, the publisher makes on the token, they may have no incentive to restrict.
What are the Potential Impacts of Security Tokens?
One likely impact of security tokens is that we will need less security lawyers. A lot of the work of drafting “wet,” paper contracts will be replaced with writing “dry,” code contracts. Knowledge of the law will still be necessary, so you could imagine that lawyers who learn to write smart contracts will be extremely valuable.
Another industry that is likely to be impacted is asset management. Historically, all that mattered for asset managers was their assets under management (AUM) and the management fees they generated. If an asset manager is managing $100 million, and they charge 1% of that as a management fee, they make $1 million/year regardless of whether they invest those assets well or not.
In a world dominated by security tokens, there would be nothing for them to “manage.” There are no stock certificates that need to get sent around by the back office. Instead, you may see investment advisers that make buy and sell recommendations, and you, as an investor, can sign up to “follow” them and invest alongside them, and they’ll get paid for making the correct picks.
We’re also likely to see some emergent effects that we’ve never seen before. Imagine if all the real estate in New York City was tokenized. You could create Exchange Traded Funds (ETF’s), like an Upper West Side ETF, Brooklyn ETF, and Financial District ETF. That would let traders go long Brooklyn, short Upper East Side.
Security tokens are different from other financial innovations, like the credit default swaps and credit default obligations that caused the 2008 global financial crisis. One of the big causes of 2008 collapse was the concentration of risk. With security tokens being on the blockchain, the regulators or anyone with access to the blockchain will always be able to know how concentrated the risk is because there is a lot more transparency.
Another emergent effect is that we will see new things being securitized that aren’t securitized today. Historically, it has been hard to securitize stuff like art, so there is a big illiquidity discount. Not many people can afford to buy a million dollar piece of art, but a lot more might buy 2% of it. These assets could also be bundled up so you could go long French impressionist but short Modern art. Financial regulators may eventually mandate the tokenization of securities. Because security tokens are effectively “compliance-as-a-service,” they makes regulators’ jobs easier.
The physical security tokens come sync’d to the current time from the factory along with a unique registration code taped to their back. When you press the button the token reads the current timestamp and generates a code based on running your registration code and the timestamp through a function internally and hashing the result into 6 digits.
When you type those 6 digits into the system and send it to the server, the server looks at the registered code on your account, and generates all the possible, acceptable codes for the last allowed time frame (say 30 seconds, so 30 possible codes if its a different one each second, 60 if it rounds to half seconds, etc. It’s entirely up to SE to decide where the cut-off is, but the key is that the token has the exact same algorithm as the server embedded within it). If any of those codes match, the system sends back an allow message.
SE can do other things on the server side, like store which codes have been used and prevent them from being used again (making it a true one-time password) or preventing them from being used only until a new code has been used (to help prevent man-in-the middle type attacks from people snagging your code to log into your account).
With a token, you could code restrictions into the token, enabling buyers and sellers to trade in a secondary market as long as the trade doesn’t violate the hardcoded restrictions. The much in work tokenizing equity in start-ups probably isn’t that valuable at least today because most start-ups are overfunded rather than capital constrained.
Do you have any questions on if security tokens actually work? Ask below!