John Reed Stark

 As I noted in a recent post (here), the business pages these days are full of headlines about Initial Coin Offerings (ICOs). Among many issues swirling around ICOs one is the question of how the offerings fit within the overall legal and regulatory framework. In the following guest post, John Reed Stark, President of John Reed Stark Consulting and former Chief of the SEC’s Office of Internet Enforcement, takes a detailed look at ICOs with a particular focus on securities regulation. A prior version of this article previously appeared on Securities Docket. I would like to thank John for his willingness to allow me to publish his article on this site. I welcome guest post submissions from responsible authors on topics of interest to this site’s readers. Please contact me directly if you would like to submit a guest post. Here is John’s guest post.

 

***************************************

 

For the embryonic, novel and crazed ICO marketplace, Winter is coming. But not in its traditional form, rather in the form of a swift, steady and relentless U.S. Securities and Exchange Commission (“SEC”) dragnet.

 

For those scratching their heads, “Winter Is Coming” is the motto of House Stark, one of the Great Houses of Westeros in the HBO hit series Game of Thrones, and the meaning behind these words is one of warning and constant vigilance. The Starks, being the lords of the North, strive to always be prepared for the coming of Winter, which hits their lands the hardest.

 

Who should heed this warning? Issuers, promoters, facilitators, so-called “finders,” investment banks, law firms and anyone else connected to Internet Coin Offerings (“ICOs”), the method by which startups or other parties can issue cryptographic tokens in an effort to fund or bootstrap a new blockchain network. Because if not prepared, ICO curators, sponsors, affiliates and the rest might all find themselves caught in the SEC’s investigative, regulatory and prosecutorial crosshairs.

 

As the excitement of ICOs spreads throughout the business and financial sectors, so too have the concerns that lack of regulation render the new-age currency susceptible to fraud, manipulation, and to being used as a vehicle for money laundering.  The loudest voice among them: None other than the newly appointed Chairman of the U.S. Securities and Exchange Commission, Jay Clayton.

 

Speaking on November 9th, 2017, at this year’s Institute on Securities Regulation in New York City, Chairman Clayton warned ominously that ICOs in many cases looked like securities. Veering off-script, Chairman Clayton reportedly stated bluntly,

 

“I have yet to see an ICO that doesn’t have a sufficient number of hallmarks of a security. [Moreover], there is also a distinct lack of information about many online platforms that list and trade virtual coins or tokens offered and sold in initial coin offerings.”

 

Chairman Clayton, a seasoned securities regulation veteran and expert cautioned that many ICO platforms were susceptible to manipulation and other fraudulent practices by ICO insiders, management, and better-informed traders.

 

Chairman Clayton’s stern and plain ICO admonition comes as no surprise.  Recent efforts by the SEC and other U.S. enforcement and regulatory agencies indicate an upcoming effort to enforce financial regulations in the ICO space, placing ICOs and other cryptocurrency-based transactions under greater scrutiny than ever before.

 

As former Chief of the SEC’s Office of Internet Enforcement (and, per my older brother, as a direct descendant of House Stark), my take is that the federal and state regulatory onslaught in store for the purveyors of ICOs is imminent and will ensnare a broad range of ICO market participants. No one is likely to escape the SEC’s reach – as well as the reach of state regulators, and the litany of other federal regulatory and criminal prosecutorial agencies who will surely (and eagerly) follow the SEC’s lead.

 

PART ONE: BACKGROUND

 

Understanding cryptocurrency and ICOs remains a challenge for even the most seasoned financial professionals and legal scholars. For one thing, it is beyond the imagination of most experts that a financial transaction can occur with such an extraordinary level of anonymity, complexity and lack of transparency. Yet that is precisely what cryptocurrency allows – with the added convolution of a monetary foundation embedded within computer code on a server somewhere, rather than within a safe and secure haven like Fort Knox.

 

What is Cryptocurrency?

 

Like PayPal or credit cards, cryptocurrencies are digital currencies that can be used to send or receive payment via the Internet. But unlike PayPal or credit cards which are based on actual legal tender such as dollars, euros, pounds or yen — cryptocurrencies are wholly unregulated and completely unmonitored, operating through intricate networks of decentralized computer systems.

 

Cryptocurrency transfers are encrypted and purportedly recorded on what is known as a “digital ledger,” and are hyped as a low-cost alternative to using banks, money transfer companies or brokers, who charge fees for transactions.

 

In September, cryptocurrency trading posted a record $11 billion in trading volume according to Crypto coin News, an industry tracking website. According to CNBC, software developers have raised close to $1.3 billion in 2017 from the sale of new virtual currencies with names like Tezzies, Atoms, and Basic Attention Tokens.

 

Several large companies, including Microsoft, Overstock.com, and DISH Network, along with hundreds of thousands of other vendors worldwide, now accept cryptocurrencies. Overstock has taken cryptocurrencies a step further, announcing plans for an exchange for trading cryptocurrencies, and unveiling plans for an ICO through its tZero subsidiary. If Overstock successfully completes the ICO, it will be the first major public company to achieve this milestone.

 

But there is a dark side to cryptocurrency that has quickly emerged. Given their anonymous and unregulated nature, cryptocurrencies have evolved into the payment mechanism of choice for unlawful transactions – from buying a fake I.D. or a bottle of opiates, to receiving a cache of credit card numbers or stolen identities, to collecting a ransomware payment demand or evading taxes. It is this dark side that has obviously captured the attention of regulators and criminal law enforcement authorities as well.

 

What is an ICO?

 

The broader adoption of the cryptocurrency payment has spawned the concept of using cryptocurrency to fund businesses and investments, and has generated cryptocurrency exchanges around the world. These exchanges, such as Coinbase and Bitfinex, allow people to buy, sell, and transfer funds across cryptocurrencies and central bank-backed currencies, such as dollars and euros.

 

Along these lines, so-called “ICOs” emerged as a novel form of capital raising, whereby startups sell digital tokens to investors to help fund projects, facilitated by the same blockchain technology that powers digital currencies such as bitcoin.

 

In an ICO, virtual coins or tokens are distributed by a company to the public in exchange for another cryptocurrency or fiat currency. These coins or tokens come with particular rights, which could range from a right to access software, redeem the token for a currency or service, or receive future earnings from the company (like a dividend).

 

ICO growth has been nothing short of astonishing. Before 2017, ICOs had raised a total of about $300 million going back to 2014.  Fast forward to 2017, where according to CoinSchedule and as reported in Bloomberg, there have been more than 200 ICOs raising over $3 billion, including over $800 million in ICOs during the month of September alone.  The ICO calendar remains a busy one – close to 40 more ICOs are scheduled for the remainder of 2017.

 

 

Some ICO platforms take any project regardless while other ICO platforms go so far as to have an ICO to raise money for their ICO platform: an ICO of an ICO if you will. Many ICOs are built on top of Ethereum’s platform, which enables the creation of decentralized “smart contracts” that can carry out higher level functions beyond simple transfers of value.

 

Equally astonishing is that ICOs have grown largely outside of regulatory oversight and without the investor protections and disclosure requirements that apply to traditional investment offerings. But that is soon to change.

 

PART TWO: ICOs AND SECURITIES REGULATION

 

ICOs provide a virtual drivers end film of possible securities law violations, raising legal questions and regulatory issues from every angle. Above all else, the federal securities laws apply to those who offer and sell securities in the U.S., regardless whether the issuing entity is a traditional company or a decentralized autonomous organization, regardless of whether those securities are purchased using U.S. dollars or virtual currencies, and regardless whether they are distributed in certificated form or through the distributed ledger technology of cryptocurrencies.

 

ICOs Unlawfully Offering Securities for Sale to the Public

 

To determine how traditional securities regulation applies to ICOs, the SEC will undoubtedly apply the four-pronged Howey Test, derived from the 1946 Supreme Court decision in SEC vs. W.J. Howey Co., which states that a security is an investment contract in which a person 1) invests their money; 2) in a common enterprise; 3) with an expectation of profits; 4) based on the efforts of the promoter or a third party. In order to be considered a security, an offering must meet all four prongs.

 

Typically, an ICO involves the sale of a cryptocurrency “token” in return for which a purchaser might receive anything ranging from simple access to a future service once it is launched to rights in the profits generated by the venture.

 

Most token purchasers expect that they will earn a profit by selling their tokens once they appreciate in value. While some token issuers have acknowledged that they are offering and selling securities under U.S. law, the majority of token issuers have taken the position that their transactions do not involve the offer or sale of any security. Rather than prospectuses, token issuers put out so-called “whitepapers” describing the platform, software or product they are trying to build, and then people buy those tokens using widely-accepted cryptocurrencies (like bitcoin and ethereum) or fiat currencies like the U.S. dollar. These issuers also often employ a litany of promoters and facilitators to generate interest, excitement and participation in the ICO.

 

Historically, the courts and the SEC have taken an extremely broad view of whether any kind of investment is a security. Indeed, the definition of “security” under Section 2(a)(1) of the Securities Act of 1933 (and the nearly identical definition under Section 3(a)(10) of the Exchange Act of 1934) includes not only a number of specific types of financial instruments, such as notes, bonds, debentures and stock, but also broad categories of financial instruments, such as evidences of indebtedness and investment contracts. The definition of security was plainly crafted to contemplate not only known securities arrangements at the time – but also to any prospective instruments created by those who seek the use of the money of others on the promise of profits.

 

With respect to ICOs, the critical area of inquiry for the SEC is whether investors were relying on the managerial efforts of others. On July 25, 2017, the SEC provided important initial guidance on its views of whether ICOs are securities when it released a Section 21(a) Report of Investigation on its findings regarding the token sale by The DAO (more on the report itself later).

 

The bottom line from the DAO 21(a) Report is that the SEC views ICOs as selling securities. In making this determination, the SEC focused on whether the efforts of others were “the undeniably significant ones … that affect the failure or success of the enterprise.”

 

The SEC found that the so-called curators of the DAO played the requisite role. The curators held themselves out as experts in, among other matters, the blockchain protocol, determined which projects would be voted on by DAO Token holders, addressed security issues and more generally held itself out in marketing materials as a group that investors could rely on for their managerial efforts.

 

The SEC also concluded that the voting rights of the DAO Token holders were limited.  In a critical sentence, the SEC noted: “[e]vend if an investor’s efforts help to make an enterprise profitable, those efforts do not necessarily equate with a promoter’s significant managerial efforts or control over the enterprise.” The SEC concluded that the voting rights of DAO Token holders was largely “perfunctory.” Since they could only vote on projects approved by the curators, token holders did not receive sufficient information to vote in a meaningful way, and there were no means to obtain additional information.

 

Equally important, the SEC noted: that the widely dispersed DAO Token holders could not identify and effectively communicate with each other; that there was a large number of them; and that they could not be deemed to be in a position to effectuate meaningful control.

 

In sum, because DAO Tokens were determined to be securities that were offered and sold to individuals in the U.S. without the benefit of a valid exemption from registration, the SEC concluded that the DAO was required to register the offer and sale of DAO Tokens, which it had failed to do.

 

While ICOs may not, by default, trigger SEC jurisdiction, given the DAO 21(a) Report, any potential ICO issuer who was ignoring the Howey test in structuring its offering is now on firm notice that it can no longer do so. Arguably, there is also now an overwhelming presumption that the SEC will deem current iterations and variants of ICOs be securities offerings.

 

Another related issue brought to light by the DAO 12(a) Report is whether ICOs cut across state lines, which could result in violations of the securities laws by transmitting offering documents into states where the issuer had failed to satisfy state regulatory blue sky requirements.

 

The bottom line with respect to the purveyors of ICOs:  They are very likely selling plain-old shares of stock fancifully masquerading as tokens — and their offer and sale would need to be registered under the Securities Act or qualify for an exemption from registration.

 

If the token offering is exempt from registration, the offering likely would need to be made to accredited investors, the tokens would be subject to limitations on resales or transfers, and any general solicitation would likely be prohibited. Regardless of whether the offering is registered or exempt, careful consideration would also have to be given to ensuring that prospective investors receive sufficient disclosure about the offering, including associated risks.

 

 

Tokens are likely securities and their offer and sale would need to be registered under the Securities Act or qualify for an exemption from registration. If the token offering is exempt from registration, the offering likely would need to be made to accredited investors, the tokens would be subject to limitations on resales or transfers, and any general solicitation would likely be prohibited. Regardless of whether the offering is registered or exempt, careful consideration would also have to be given to ensuring that prospective investors receive sufficient disclosure about the offering, including associated risks.

 

In addition, issuers of ICOs have emphasized the purported ease of transferability. Assuming a token is a security, any purchaser of such token, including individuals, should expect to be bound by the customary transfer restrictions associated with holding a restricted security.

 

ICOs as an Unlawful Exchange

 

If a token offering is subject to securities registration in the U.S., then the tokens sold pursuant to such offering may need to be listed on an exchange registered under the Exchange Act of 1934, or be exempt therefrom.

 

Issuers will need to do an analysis under the Exchange Act, as token offerings are frequently conducted on crowdfunding platforms that are not registered as national exchanges. Exchange operators hosting tokens that are securities need to be cognizant of their responsibilities under the Exchange Act to register as an exchange or find an exemption therefrom. Potentially, an offering could fall within the Regulation Crowdfunding exemption, although the DAO 21(a) report expressly noted that the DAO would not have qualified for this exemption.

 

As with traditional exchanges, ICOs should mandate that: 1) investors funds insecurities be handled appropriately; 2) investors understand the risks involved in purchasing the often illiquid and speculative securities that or traded in an ICO; 3) buyers must be made aware of the last prices on a particular ICO; and 4) companies provide adequate disclosure regarding the ICO. Overall entities providing exchange like services must carefully handle access to, and control of investor funds to provide all users with adequate protection and fortification.

 

After having previously declined to approve proposed rule changes to facilitate the listing and trading of shares of the Winklevoss Bitcoin Trust, the SEC followed the path of the U.S. Commodity Futures Trading Commission on July 24, 2017, and affirmed the SEC’s role in regulating platforms like those on which blockchain-based instruments are traded.

 

Given the nature of the platforms that trade cryptocurrency tokens and provide users with an electronic system that matches orders from multiple parties to buy and sell tokens for execution based on non-discretionary methods, ICO platforms would appear to fall within the definition of a securities exchange. This means that ICOs could require registration as a national securities exchange pursuant to Sections 5 and 6 of the Exchange Act or operated pursuant to an appropriate exemption (such as an alternative trading system that complies with Regulation ATS, which requires, among other things, registration as a broker-dealer and filing of a Form ATS with the SEC to give notice of the alternative trading system’s operations).

 

ICOs and Unlawful Investment Advising

 

Depending on the structure of a token offering and the token structure’s investment objective, a sponsor of a token offering may be deemed an investment adviser under the U.S. Investment Advisers Act of 1940 and subject to registration with the SEC or with one or more states as such.

 

Even if an ICO sponsor is an investment adviser but is exempt from registration, the sponsor nonetheless would be subject to certain aspects of the Advisers Act, including the anti-fraud rule.

 

Registration under the Advisers Act entails various disclosure and ongoing compliance requirements, which increases operational costs.

 

Section 203A of the investment advisors act generally makes it unlawful for any “investment advisor, unless registered to use any means of interstate commerce in its advisory business. The investment advisors act also requires investment advisors to maintain certain books and records, which are subject to periodic SEC examinations, and makes it unlawful for “any investment advisor “(whether or not registered) to engage in fraudulent activities.

 

With the proliferation of all sorts of goods and services offered over the Internet, investment advisors peddling their services have not lag far behind; just about every type of investment advisor has sprouted in cyberspace. Although the original drafters of the Investment Advisers Act probably never contemplated the cyberspace investment advisor, the provisions of the investment advisors act appear flexible enough to ensure it safeguarding provisions (disclosure, record keeping, and other customer protections) apply equally to ICO related activities.

 

ICOs and an Unlawful Mutual Fund Offering

 

ICO sponsors must also be mindful of the requirements of the Investment Company Act of 1940, which requires “investment companies” to register with the SEC unless they qualify for one of several exclusions from the definition. Generally, an investment company is an issuer that is engaged or proposes to engage in the business of investing, reinvesting, owning, holding, or trading in securities, and owns or proposes to acquire “investment securities” having a value exceeding 40 percent of the value of its total assets (exclusive of government securities and cash items) on an unconsolidated basis. For this purpose, “securities” and “investment securities” are broadly defined, and in some instances, include instruments that may not even be securities under the Howey test.

 

Investment company registration and ongoing structural requirements are highly complex and issuing platforms may find complying with them without compromising the business model difficult or impracticable. The platform would therefore likely need to be structured to meet an applicable exclusion from the definition of an investment company under the 1940 Act, which would limit the number of U.S. investors due to eligibility requirements and other limitations under the 1940 Act.

 

An issuer that is required to register as an investment company but fails to register is subject to many potential penalties, including criminal sanctions. Notably, the DAO 21(a) Report did not address whether the DAO would be an investment company under the 1940 Act, leaving that analysis for another day and another issuer.

 

ICOs and Unlawful Broker-Dealer Activities

 

One of the more critical federal and state regulatory registration requirements that may emerge when participating in the operation of an ICO, is that of broker-dealer activity. If tokens are deemed securities, intermediaries such as token exchanges and promoters would likely need to comply with broker-dealer registration requirements.

 

For example, when and company is at all engaged in facilitating or helping conduct the ICO (for example by promoting the ICO or by helping find ICO investors), the company may be required to register as a broker dealer with the SEC.

 

Specifically, Section 15(a)(1) of the Securities Exchange Act of 1934 makes it unlawful for a person to “effect a transaction in securities” or “attempt to induce the purchase or sale of, any security” unless they are registered as a broker or dealer under the rules and regulations of the Financial Industry Regulatory Authority, Inc. (FINRA). FINRA is the regulatory organization designated by the Securities and Exchange Commission (SEC) to license and regulate broker-dealers.

 

The ramifications for failure to register as a broker-dealer are severe, even criminal. Section 29(b) of the Exchange Act provides that every contract made in violation of any provision of the broker-dealer registration requirements “shall be void” as to rights of persons who made or engaged in the performance of such contract. It results in the underlying purchase of securities becoming a voidable transaction that gives the investor a right of rescission, so if for purchasers losing money on the investment, there is an instantaneous and simple claim to get a refund of their investment.

 

Moreover, Section 20(e) of the Exchange Act, under which the SEC may impose aiding-and-abetting liability on any person that knowingly or recklessly provides substantial assistance in a violation of the Exchange Act also creates creates additional potential liability. Finally, merely retaining and permitting an unlicensed intermediary to help facilitate or effect a securities transaction (such as an ICO) may be a violation of federal and many state laws, and may subject the issuer to possible civil and criminal penalties.

 

Most ICO promoters and affiliates negotiate payment of “success fees” upon completion of a financing transaction or arrange for some other iteration of transaction-based compensation. Even if the arrangement masquerades the true intent of the relationship, payment of transaction-based compensation is treated by U.S. securities regulators as a nearly-conclusive indication that a person is engaged in the securities business and should be registered as a broker-dealer.

 

Thus, when an unregistered person or entity is involved as a broker, finder, etc. of an ICO, the ICO could become immediately and irrevocably tainted. This notion makes a lot of sense. Broker-dealers are supposed to provide a gatekeeper to protect investors in the marketplace and are required to “observe high standards of commercial honor and just and equitable principles of trade” in the conduct of its business, including determining if an investment is “suitable” for its customer and maintain meticulous records of communications, representations, transactions and other important information. Broker-dealers also are subject to SEC and FINRA examination together with a broad range of regulations and rules of conduct.

 

The SEC considers the principle of gatekeeper registration sacrosanct and broadly construes the broker-dealer laws while narrowly construing the few permitted exceptions.

 

Rescission Waivers

In an attempt to mitigate the risk of a rescission offer in the event that an ICO token is later deemed to be a security, some token purchase agreements for ICOs may have gone so far  as to contain presales provisions attempting to “disclaim” liability and somehow prospectively remove the possibility of rescission.

 

These waiver provisions require the token recipient to agree that token purchases are irreversible and there is “no refund under any circumstances.” Other token issuers characterize the payments received from token buyers as nonrefundable donations, using a Switzerland foundation as the legal entity. However, caveat emptor or “buyer beware” has its limitations, and token issuers cannot contract out of compliance with securities laws, especially rescission.

 

Rescission cannot even be used to eliminate liability, so if ICO token recipients were to receive rescission, the ICO could still be liable to the SEC for securities violations.  Indeed, Section 29 (a) of the Exchange Act of 1934 also expressly provides that “any condition, stipulation, or provision binding any person to waive compliance with any provision of [the laws] shall be void.” (emphasis added).

 

Some ICO purchase agreements require that the purchaser waive the right to receive a return of their cryptocurrency paid for the token and limit liability to the equivalent value in U.S. dollars paid at the time of purchase.  The enforceability of these provisions is similarly suspect.  Historically, the SEC does not allow securities law violators to dictate the nature and amount of an investor remediation, such as a rescission offer.

 

ICOs and Unlawful Stock Promotions

 

Like other trendy cultural phenomena, some noteworthy celebrities – such as boxer Floyd Mayweather and hotel heiress Paris Hilton – have become involved in promotional efforts, largely conducted via social media outlets, related to ICOs.  This practice raises obvious concerns about possible securities violations, most definitively, Section 17(b) of the Securities act of 1933.

 

Section 17(b) prohibits the publication of paid for descriptions of securities without full disclosure of the compensation arrangement. This prophylactic measure was “particularly designed to meet the evils of the tipster sheet, as articles in newspapers or periodicals that purport to give an unbiased opinion but which opinions in reality are bought and paid for.

 

Prior to the Internet era, section 17(b), unchanged from its enactment in 1933, with no rules or regulations ever promulgated thereunder, originally served the SEC as the legal basis to combat touting fraud in a variety of mediums, including brochures, newsletters, and radio talk shows – wherever touters attempted to disguise their paid promotions as independent, objective analysis.

 

In the early 1990s, as the Internet begin to evolve into an important tool for investors, unlawful touting spread to every corner of cyberspace, including websites, newsletters, spams (electronic junk mail), and then online message boards, discussion forums and now, social media.

 

The SEC first acted upon trending unlawful Internet investment promotions with several enforcement actions brought between 1996 and early 1998.  But despite the division’s efforts, the practice continued to proliferate, prompting the SEC to take even stronger action in several Internet “sweeps,”, one in October 1998 and another in February 1999. These coordinated 17(b) roundups, led by the SEC’s Office of Internet Enforcement (the first SEC cyber office, discussed below) consisted of more than 25 Separate enforcement actions against more than 50 individuals and companies, garnering tremendous publicity at the time, and virtually eliminating the unlawful promotion practice entirely, while simultaneously stunting the growth of unlawful securities offerings as well.

 

ICOs and Data Security Requirements

 

A sponsor of a token offering or a token exchange may have obligations under cybersecurity regulations pursuant to the U.S. Gramm-Leach-Bliley Act and various state laws. The SEC and the Financial Industry Regulatory Authority also expect investment advisers and broker-dealers (including those involved in ICOs) to maintain cybersecurity policies and procedures under existing privacy-related regulations.

 

The SEC has expanded considerably its efforts relating to cybersecurity, beefing up its regulatory examinations of investment advisers and broker-dealers with targeted sweeps for cybersecurity as well as initiating an active cybersecurity enforcement program.  The SEC has gone almost so far as to compel that SEC-regulated entities perform periodic penetration testing and risk and security assessments, by publicly emphasizing the importance of penetration testing at financial institutions such as investment advisers, broker-dealers, exchanges, mutual funds, etc.

 

Not to be outdone, the Financial Industry Regulatory Authority (FINRA) also released in February 2015 its Report on Cybersecurity Practices, which provided an in-depth report on cybersecurity at broker-dealers. Therein, FINRA offered its own insights into what it expects from firms’ cybersecurity risk management practices, and included its expectation that firms implement “sound technical controls, such as identity and access management, data encryption and penetration testing.”

 

PART THREE: ICOs AND OTHER REGULATIONS

 

Even if an ICO sponsor can avoid having its tokens classified as securities by the SEC, it still must determine whether it falls within the scope of myriad other federal or state regulatory regimes, including those applicable to money transmitters and financial institutions. In addition to the SEC and the labyrinth of state securities regulations, a range of other regulatory and criminal concerns can arise as well.

 

ICOs and Anti-Money Laundering

 

Theoretically, anyone with an Internet connection and a digital wallet can be part of an ICO – especially criminals. Given that cryptocurrency transactions are pseudonymous, encrypted and decentralized by nature, virtual currencies offer a convenient method of transferring funds obtained from illegal activities without an audit trail, thereby making it harder for any central authority or law enforcement agency to track each of the transactions made, and the individuals behind them.  On the other hand, transactions involving traditional financial firms, such as banks, brokers and dealers, and money service businesses, are subject to strict U.S. anti-money laundering laws and regulations aimed at detecting and reporting suspicious activity, including money laundering and terrorist financing, as well as securities fraud and market manipulation.

 

Not surprisingly, the notion of terrorists and criminals being able to launder money anonymously has not escaped the attention of U.S. regulators, who have vowed to crack down on the virtual currency exchanges who serve criminals, even those operating outside the United States.

 

Along these lines, anti-money laundering (AML) regulations have evolved into a complex array of compliance obligations for any financial organization, especially those handling embryonic virtual cryptocurrencies, and have become useful, convenient and effective tools for criminals. Along those lines, the U.S. Department of Justice (DOJ), together with the Financial

 

Crimes Enforcement Network of the U.S. treasury Department (FinCEN) have become increasingly active in policing criminals exploiting cryptocurrencies, leveraging AML statutes and regulations as their preferred statutory weaponry.

 

For instance, in 2015, in addition to being charged for violating computer crime Title 18 U.S.C., Section 1030(a)(7)Anthony Murgio, a ford Bitcoin exchange operator, also pled guilty to operating as a money transmitter without a license, and was sentenced to 5 ½ years in prison.

 

Federal prosecutors alleged that Murgio and his co-conspirators benefitted from transactions providing victims with Bitcoin to pay off ransomware demands. The indictment states:

 

“As part of the unlawful Coin.mx scheme, Anthony P. Murgio, the defendant, and his co-conspirators knowingly processed and profited from numerous Bitcoin transactions conducted on behalf of victims of ransomware schemes…By knowingly permitting ransomware victims to exchange currency for Bitcoins through Coin.mx, Murgio and his co-conspirators facilitated the transfer of ransom proceeds to the malware operators while generating revenue for Coin.mx.” 

 

Not just a part of the ransomware payment process, Murgio allegedly facilitated the ransomware transactions with unclean hands – possessing the kind of nefarious intent required for money laundering criminal liability, which is probably why the Murgio prosecution also addresses AML liability. Specifically, the issues relate to the failure of Murgio and his cohorts to:

 

  • Register with the Financial Crimes Enforcement Network (FinCEN);
  • Maintain an effective AML program;
  • Comply with AML record-keeping requirements; and
  • File with FinCEN Suspicious Activity Reports(SARs) regarding customers who use cryptocurrencies for nefarious purposes.

 

The Murgio indictment also alleges that Murgio and another defendant had undue influence on a federally insured credit union that handled the exchange’s banking operations for a period of time, and that they tried to “trick” major financial institutions about the nature of their business.

 

The Murgio defendants allegedly exchanged at least $1.8 million Bitcoins for cash for certain customers who claimed they were ransomware attack victims needing Bitcoins to “pay off” ransomware attackers.

 

FinCEN, MSBs and ICOs

 

Money Services Businesses (MSBs) have been required to register with FinCEN since 1999, when the MSB regulations first went into effect. MSBs have historically been recognized by FinCEN to include: (1) currency dealers or exchangers; (2) check cashers; (3) issuers of traveler’s checks, money orders, or stored value; (4) sellers or redeemers of traveler’s checks, money orders, or stored value; and (5) money transmitters.

 

An entity acting as an MSB that fails to register (by filing a Registration of Money Services Business (“RMSB”), and renewing the registration every two years per 31 U.S.C. § 5330 and 31 C.F.R. § 1022.380), is subject to civil money penalties and possible criminal prosecution.

 

The registration of the MSB serves as a first step in establishing the compliance framework for applicable FinCEN regulations designed to help mitigate the risks of criminal abuse of MSBs for money laundering and terrorist financing as the MSB seeks to provide financial services to customers for legitimate purposes. There is no cost for registration, which is a simple procedure explained in detail on FinCEN’s website at https://www.fincen.gov/money-services-business-msb-registration.

 

In 2013, FinCEN expanded its MSB definition to include virtual currency exchanges.  Specifically FinCEN issued guidance providing that any virtual currency “exchanger” (i.e., a person engaged as a business in the exchange of virtual currency for real currency, funds, or other virtual currency) is a money transmitter (i.e., a person engaged in the business of accepting and transmitting currency, funds or other value that substitutes for currency) under the Bank Secrecy Act (“BSA”) and its implementing regulations (31 C.F.R. § 1010.100(ff)(5)) and, therefore, required to register with FinCEN as an MSB within 180 days of beginning operations.

 

The BSA and its implementing regulations require an MSB to develop, implement and maintain an effective written AML program that is reasonably designed to prevent the MSB from being used to facilitate money laundering and the financing of terrorist activities. For an ICO, this requires, among other things, meticulously recording transactions, definitively knowing who customers are and reporting suspicious activity to law enforcement

 

FinCEN’s MSB Expansion

 

Recently, FinCEN has begun to expand its definition of an MSB even further, to include not only virtual currency exchanges but also cryptocurrency platforms which act as enablers/ financial intermediaries for criminal schemes.

 

For instance, in a July 2017 AML enforcement action, FinCEN, in a joint prosecution by the U.S. Attorney’s Office for the Northern District of California, assessed a $110 million civil money penalty against BTC-e a/k/a Canton Business Corporation (BTC-e) for willfully violating U.S. AML laws. Russian national Alexander Vinnik, one of the operators of BTC-e, was also arrested in Greece, and FinCEN assessed a $12 million penalty against him for his role in the violations.

 

BTC-e is an Internet-based, foreign-located money transmitter that exchanges fiat currency as well as the convertible virtual currencies Bitcoin, Litecoin, Namecoin, Novacoin, Peercoin, Ethereum, and Dash. By volume, BTC-e is one of the largest virtual currency exchanges in the world. In so doing, the exchange facilitated numerous transactions connected to a variety of criminal activities ranging from illegal drug sales on dark web markets like Alpha Bay to public corruption.

 

FinCEN asserted jurisdiction because BTC-e conducts business as an MSB in substantial part within the United States (including $296 million of U.S. customer transactions through U.S servers.) The BTC-e FinCEN action marks just the second case by FinCEN involving a cryptocurrency exchange and the first FinCEN action against a foreign-based exchange that did substantial business in the United States.  Although BTC-e was not based in the United States, DOJ and FinCEN determined that U.S.

 

In announcing the AML fines and prosecutions, Jamal El-Hindi, Acting Director for FinCEN, stated:

 

“We will hold accountable foreign-located money transmitters, including virtual currency exchangers, that do business in the United States when they willfully violate U.S. anti-money laundering law. This action should be a strong deterrent to anyone who thinks that they can facilitate ransomware, dark net drug sales, or conduct other illicit activity using encrypted virtual currency. Treasury’s FinCEN team and our law enforcement partners will work with foreign counterparts across the globe to appropriately oversee virtual currency exchangers and administrators who attempt to subvert U.S. law and avoid complying with U.S. AML safeguards.” 

 

Key AML/ICO Takeaways

 

Some key ICO takeaways from the FinCEN/DOJ fines, prosecutions and overall regulatory and enforcement posture towards the alleged “criminal design” of crypto-currency exchanges, are as follows:

 

  • FinCEN and DOJ are expanding AML statutes and regulations to attack ransomware perpetrators as AML criminal enterprises in the same way that DOJ expanded the Racketeers Influenced and Corrupt Organizations Act (RICO) to attack street gangs, gang cartels, corrupt police departments, duplicitous Wall Street bankers and even crooked political campaigns. In so doing, FinCEN and DOJ are turning the tides on enablers who exploit the cryptocurrency ecosystem to anonymize (i.e. launder) financial transactions. By becoming increasingly sophisticated at coopting a cryptocurrency network to establish an AML jurisdictional nexus, FinCEN and DOJ have laid the groundwork to link and prosecute both the masterminds and the foot soldiers of unlawful ICOs;

 

  • FinCEN is actively mining BSA data to develop leads on cyber threats who may be involved in ICOs, and coordinating with an alphabet soup of criminal investigative agencies by sharing critical analytics and by providing tactical and strategic intelligence reports associated with these threats;

 

  • S. Regulators and prosecutors could take action against persons or entities associated with an ICO under the auspices that they are MSBs who fail to keep BSA/AML controls or know their customers – or even for avoiding or neglecting reporting requirements or not properly registering as money transmission businesses (like Murgio);

 

  • When an offshore person or entity intentionally and maliciously participates and profits within the financial machinations of a ransomware scheme (such as the alleged money laundering by BTC-e and its senior management), a company or person’s location overseas is not necessarily a defense to AML charges;

 

  • AML rules and regulations also could affect the sponsor of a token offering or token exchange indirectly to the extent it relies on banks, exchanges or other financial institutions for clearing, settlement, custody, or other functions; and

 

 

CFTC and ICOs

 

Of the many federal and state agencies likely to follow in the SEC’s ICO regulatory footsteps, the Commodities Futures Trading Commission (“CFTC”) seems most prominent.

 

Specifically, the CFTC said in a recent “Primer on Virtual Currencies” that digital tokens issued in ICOs can be considered commodities and thus come under CFTC’s oversight, putting the futures watchdog on par with the SEC’s approach to regulating the booming ICO market.

 

The CFTC, which in 2015 determined that bitcoin and other virtual currencies are properly defined as commodities, said it too will take a case-by-case approach in determining where oversight of ICOs is warranted. The statement was included in a report generated by LabCFTC, the agency’s fintech initiative.

 

The U.S. Commodity Futures Trading Commission has taken the view that bitcoin and other digital currencies are “exempt commodities” (as defined in the U.S. Commodity Exchange Act (the “CEA”)) that are subject to its jurisdiction. The issue came to light in In the Matter of Coinflip Inc. (CFTC, Sept. 17, 2015) , which held that bitcoin and other virtual currencies are encompassed in the definition of and properly defined as commodities under the CEA. This may have implications for whether ICO sponsors or other participants in token offerings may be required to register as commodity pool operators or commodity trading advisers with the National Futures Association and whether investors in such tokens must be “eligible contract participants” as defined in the CEA.

 

DOJ and ICOs

 

The Department of Justice (DOJ) has also recently weighed in on the ICO phenomenon. In addition to the July 2017 BTC-e case described above, DOJ made, in November, the first ICO arrest, handcuffing Maksim Zaslavskiy of Brooklyn and charging him with securities fraud conspiracy in connection with engaging in illegal unregistered securities offerings. The charges come just a few days after the SEC initially sued Zaslavskiy. 

 

The “securities offerings” were two separate ICOs that were conducted through two of Zaslavskiy’s companies: RECoin Group Foundation, LLC., and DRC World, Inc. Zaslavskiy branded RECoin as “The First Ever Cryptocurrency Backed by Real Estate”; the ‘DRC’ in DRC World stood for “Diamond Reserve Club”, and the DRC cryptocurrency was supposedly “hedged” by diamonds. However, DOJ alleges that there were no diamonds, and there was no real estate.

 

The charges were announced by Bridget M. Rohde, Acting United States Attorney, and William F. Sweeney, Assistant Director of the New York Field FBI. Said Rohde: “As alleged, Zaslavskiy and his associates enticed investors by promising returns using novel ICOs even though Zaslavskiy knew that no real estate or diamonds were actually backing the investments.”

 

ICOs and International Considerations

 

International finance service entities such as foreign brokers, dealers, and investment advisors continue to enter the ICO arena, offering ICOs sometimes accompanied by other interactive services for potential clients and customers. From their home countries, they peddle their investments and services to U.S. investors without ever crossing the border. Although these entities may indeed be holy legitimate in their own countries, their actions may still trigger U.S. registration requirements.

 

For example, take the case of offshore broker -dealers; many have already settled into the ICO business, providing vivid websites describing their ICO success records. Some portend to have aligned themselves with registered legitimate U.S. broker dealers to facilitate ICOs.

 

Bearing in mind that these brokers and dealers may have never landed on U.S soil and may not have even ever picked up a telephone or sent an email to solicit U.S. customers, they still might be violating the federal securities laws. Overall Section 15 of the Exchange Act of 1934 carefully regulates the activities of foreign broker dealers in the U.S. and provides a very thorough and demanding list of requirements that pertain to the conduct of business by foreign broker-dealers with U.S. persons.

 

Specifically, Section 15 makes it unlawful for any broker or dealer (including any foreign broker or dealer) to make use of any jurisdictional means to affect any transactions in, or to induce or to attempt to induce the purchase or sale of, any security in life such broker or dealer is registered with the SEC. The SEC interprets this registration provision broadly. In the SEC’s view, Section 15 could require registration by a broker-dealer operating outside of the United States, using only email, regular mail or telephone lines to trade securities with U.S. persons, or possibly a foreign broker-dealer who’s only U.S. contacts are the execution of unsolicited ICO orders from U.S. customers.

 

The same could hold true in the case of foreign investment advisors. Depending on the services offered or rendered, the foreign entity may have to meet the requirements previously outlined ICOs could violate these provisions even if holy legitimate within its own borders.

 

Relatedly, other countries are also cracking down on ICOs. Chinese authorities in September declared ICOs illegal. Hong Kong regulators warned the offerings are likely to be regulated. The U.K.’s Financial Conduct Authority said token offerings have parallels with initial public offerings and other fundraising methods, and may fall into its “regulatory perimeter.” Clearly, more countries will follow, voicing similar concerns and likely taking dramatic regulatory and prosecutorial steps as well.

 

PART FOUR: SEC ICO ACTIONS TO DATE

 

Chairman Clayton’s recent warnings about ICOs and their likely future SEC scrutiny is actually not the first time the SEC has talked tough about ICOs. In fact, the SEC has made several other, even more definitive statements about ICOs, which should make it clear to ICO curators, issuers, promotors and the like, that the SEC has only begin its foray into ICO regulation and enforcement.

 

The DAO 21(a) Report

 

On July 25th, 2017, the SEC launched its first salvo against ICOs with a unique and extraordinary “Report of Investigation” pursuant to Section 21(a) of the Securities Exchange Act of 1934, concerning potential securities law violations by the DAO, an Internet-based organization that operated as decentralized venture capital fund.

 

According to the 21(a) report, The DAO raised funds for projects by offering “DAO Tokens” to investors in exchange for Ether, one of the most popular virtual currencies. Investors who owned DAO Tokens could choose to share in the anticipated earnings from projects as a return on their investment, or resell DAO Tokens on a secondary market. By mid-2016, the DAO had raised the equivalent of $150 million from approximately 11,000 investors but then fell victim to a cyber-attack. Although the DAO quickly acted to avoid any loss to DAO Token holders, this cyber-attack prompted the SEC to investigate potential securities law violations by the DAO.

 

As discussed earlier, the SEC asserted that the offers and sales of DAO Tokens were subject to securities regulation, because DAO Tokens constituted an “investment contract,” which is a “security” under the Securities Act and the Exchange Act. To come to this conclusion, the SEC analyzed the Tokens under the Howey Test, concluding that it met all four requirements.

 

First, the investors paid “contribution of value” for the Tokens, because Ether was comparable to money or a good. Second, the investors who purchased Tokens reasonably expected profits, because various marketing material repeatedly stated that The DAO’s objective was to fund projects that would provide a return on investment. Third, Token holders relied on managerial efforts of others, including “curators” of the fund. Most important, similar to investors who hold a traditional security like a stock or a bond, the SEC concluded that the Token holders had diminished voting rights and lacked the ability to exercise meaningful control of the company.

 

The SEC’s DAO 21(a) Report sent shockwaves through the cryptocurrency community. The SEC stated, “This report reiterates these fundamental principles of the U.S. federal securities laws and describes their applicability to a new paradigm—virtual organizations or capital raising entities that use distributed ledger or blockchain technology to facilitate capital raising and/or investment and the related offer and sale of securities. The automation of certain functions through this technology, “smart contracts,” or computer code, does not remove conduct from the purview of the U.S. federal securities laws.”

 

Under the SEC’s analysis in the 21(a) Report, any type of cryptocurrency “coin” or “token” that is exchanged for either traditional money or another cryptocurrency with the expectation of profit based on the work of others would be subject to federal securities laws.

 

The mere fact that the SEC used the enforcement tool of a “21(a) Report” speaks volumes. The SEC uses these reports as a vehicle to signal how it views a particular problematic area or set of practices. The SEC issues Reports of Investigation very rarely, having done so only a dozen or so times in the last 20 years. 21(a) reports are also reports of the Commission, not its Enforcement Division – which means the DAO 21A Report was approved by the Commission itself, following a rigorous process of review by the various SEC divisions. Given their breadth, scope and deliberate focus, 21(a) Reports are actually can become far more impactful than an SEC enforcement action, because they are essentially declared policy statements.

 

Most importantly, 21A Reports are a “shot across the bow,” putting the securities markets (and anyone else listening) on notice that going forward the SEC and its Enforcement Division will consider similar conduct to be fair game for more conventional enforcement action.

 

SEC Investor Bulletin on ICOs

 

On the same day as the DAO 12(a) Report, the SEC released an Investor Bulletin that provided recommendations for companies looking to issue tokens through an ICO, including the following:

 

  • The SEC will interpret certain ICOs, such as the DAO offering, as the offer and sale of securities;
  • ICOs may inappropriately entice investors by guaranteeing high returns or low risk in a new technology and investment space;
  • Virtual currency exchanges and other entities holding virtual currencies may be vulnerable to fraud, technical glitches, hacks and malware, and virtual tokens or currency may be stolen by hackers
  • If the tokens issued as part of the ICO can be considered securities, then the virtual coins or tokens must be registered with the SEC, or the sale must be made pursuant to an exemption from registration;
  • Companies planning ICOs should carefully review the criteria for exemptions from registration, including the provisions relating to accredited investors and other restrictions involving net worth or income requirements, and should satisfy the criteria for those exemptions for US investors should the token be considered a security;
  • The SEC will likely scrutinize representations that particular ICO offerings are exempt from registration;
  • Sales of tokens as part of crowdfunding should adhere to the requirements of the SEC’s crowdfunding regulations (called Regulation Crowdfunding) and other relevant securities laws;
  • If the virtual token or coin is a security, “investment professionals and their firms who offer, transact in, or advise on investments” must be licensed or registered in accordance with federal and state securities laws; and
  • The SEC will scrutinize what it considers to be “jargon-laden pitches, hard sells, and promises of outsized returns.”

 

The Bulletin also outlined several warning signs that investors should look for when considering participating in an ICO:

 

  • Opportunities that guarantee outsized returns, especially those that advertise “little or no risk”;
  • Unsolicited sales pitches (e., scenarios where the potential purchaser does not know the sender and did not request the information);
  • Pressure to buy immediately or creating a sense of urgency;
  • ICOs offered by unlicensed individuals or firms; and
  • Lack of net worth or income requirements or investment limits, especially where the ICO involves the offer or sale of securities.

 

The SEC also released a third document on August 28, entitled “Investor Alert: Public Companies Making ICO-Related Claims,” warning investors about potential “pump-and-dump” ICO scams in which an insider or offeror circulates fake information meant to increase the coin’s value, and then sells the coin at the inflated value. The SEC recently suspended the trading of First Bitcoin Capital Corp., CIAO Group, Strategic Global, and Sunshine Capital in connection with allegedly suspicious news releases and claims made by the companies.

 

The SEC Investor Bulletin, intricate in ICO details and fulsome with cautionary rhetoric, has done little to cool the white-hot market for token sales. More than $600 million in ICOs have been completed since, according to CoinDesk’s ICO Tracker.

 

The Newly Re-calibrated SEC Cyber Unit and the Newly Created SEC Retail Strategy Task Force

 

In late September 2017, just a few months after the DAO 21(a) Report and the SEC ICO Investor Bulletin, the SEC announced the formation of a new cyber unit to target violations involving distributed ledger technology and initial coin offerings (ICOs) as part of a new effort to fight cybercrime. The new cyber unit is also chartered specifically to pursue “misconduct perpetrated using the dark web,” where bitcoin and other cryptocurrencies are used to pay for illicit goods.

 

Separate from the cyber unit, the SEC also created a retail strategy task force that will “develop proactive, targeted initiatives to identify misconduct impacting retail investors.” While this task force’s mission was not described as being specifically aimed at the crypto space, ICOs are clearly one of its targets, especially given the explosive interest in ICOs by traditional retail investors. This new team will “apply the lessons learned from [past securities fraud] cases and leverage data analytics and technology to identify large-scale misconduct affecting retail investors.” Given the litany of complaints that IPO sales have preyed on unsophisticated retail investors, the ICO marketplace will likely become the centerpiece of the task force’s focus.

 

 

This is not the first time the SEC has established a specialized unit to manage cyber-crimes. From 1998 – 2009, before being merged with the SEC’s Office of Market Intelligence, the SEC created the Office of Internet Enforcement (OIE), the first specialized cyber group. OIE led a broad range of SEC Enforcement actions, initiatives and investigations, many filed parallel to criminal prosecutions. The original cyber group faced a similar threat in the form of unlawful offerings conducted via the Internet and came out swinging against those frauds, leading five Internet fraud sweeps in its first two years.

 

Interestingly, the new cyber group also swallowed up the SEC’s Distributed Ledger Technology Working Group, naming its leader as one of its assistant directors. Moreover, two assistant directors within the new cyber group were actually members of the original OIE, which adds an extraordinary and immediate level of experience and expertise to the new cyber group’s ranks.

 

Recently, SEC Enforcement co-director Stephanie Avakian emphasized the new cyber group’s focus on ICO issues, cautioning issuers that these were in fact securities and governed by existing securities law. She also noted the intrinsic potential regarding blockchain and “legitimate opportunities for raising capital,” but warned:

 

“… like many legitimate ways of raising capital, the popular appeal of virtual currency and blockchain technology can be an attractive vehicle for fraudulent conduct. We think that creating a permanent structure for the consideration of these issues within the Cyber Unit will ensure continued focus on protecting both investors and market integrity in this space.”

 

Clearly, ICOs and other cryptocurrency issues will be the primary focus of this new cyber group, and if history is at all telling, conducting ICO sweeps will be among the re-activated cyber group’s early prosecutorial maneuvers.

 

The SEC October 2017 “Statement”

 

In an extraordinary and unprecedented announcement on November 1st, 2017, the SEC warned celebrities and other influencers that they may run afoul of securities laws when advertising cryptocurrency and other investments (including ICOs) unless they disclose the nature, source and amount of that compensation.

 

By issuing the “Statement on Potentially Unlawful Promotion of Initial Coin Offerings and Other Investments by Celebrities and Others,” the SEC’s Enforcement Division and Office of Inspections, Compliance and Examinations put the spotlight on social media promotions by celebrities like artists and sports figures to monitor whether endorsements, particularly those for ICOs, properly disclose the celebrity’s relationship to the investment.

 

According to the SEC Statement, “Any celebrity or other individual who promotes a virtual token or coin that is a security must disclose the nature, scope and amount of compensation received in exchange for the promotion . . . A failure to disclose this information is a violation of the anti-touting provisions of the federal securities laws.”

 

The statement did not identify any specific celebrities who’ve used their fertile social media ground to promote coin offerings, though music icon DJ Khaled recently posted on Instagraman endorsement for a company called Follow Coin Ltd., saying it “puts you in the game with #cryptocurrency,” according to his account.

 

Meanwhile, hotel heiress Paris Hilton in September took to Instagram with a photo of herself decked out in jewels to tell her 7.6 million followers that she was “looking forward to participating in the new #LydianCoin Token.” That same month, Academy Award-winning actor Jamie Foxx promoted the ICO of yet another token-related product, a free cryptocurrency trading exchange called Cobinhood.

 

The SEC noted that celebrities who endorse investments may lack sufficient expertise to ensure an investment’s appropriateness or its compliance with federal securities laws, stating, “We encourage investors to research potential investments rather than rely on paid endorsements from artists, sports figures, or other icons.”

 

This kind of unlawful promotional activity of ICOs, which as noted above, likely violates Section 17 (b) of the Securities Act of 1933, could very well provide ideal fodder for early actions by the new SEC cyber unit, even forming the basis of a full-fledged ICO sweep. 17(b) cases are easy to prove — all that is required is that the promoter was paid to promote an ICO, and that the promoter failed to disclose the nature, source and amount of that compensation. There is no scienter or “intent” requirement. In other words, ignorance of the law is no excuse.

 

There also exists precedent for 17(b) sweep from almost 20 years ago in the 1998 and 1999 17(b) sweeps (discussed above). The new cyber unit might take a lesson from OIE’s playbook, and apply the same 17(b) statutory weaponry to the arena of ICOs, allowing for a quick and straight-forward group of enforcement actions.

 

PART FIVE: FINAL THOUGHTS

 

In U.S. capital markets, when an investor orders 100 shares of his or her favorite stock, a proper, transparent and meticulous transaction will occur. That’s because — and this is no coincidence — U.S. markets in addition to being the most heavily regulated are also the most efficient, most robust and most secure in the world. ICOs turns this traditional notion of safety and security on its head – which is troubling.

 

Despite similar sounding names, ICOs bare little semblance to IPOs, which have historically (and quite mistakenly) enjoyed far too much allure as “get rich quick” opportunities.  The valuations of ICOs eerily resemble those of the many failed companies of the early days of the dot-com boom IPOs, when many investors lost their life savings to investments encompassing little more than a sales pitch with the word “Internet” in the description.

 

Consider this fact: When ICOs started, well-known names raised relatively small amounts of capital. Ethereum raised about $18 million in their ICO in 2014 and Vitalik Buterin, the boy genius behind Ethereum’s genesis, the world’s second-most valuable cryptocurrency network behind Bitcoin, had been a Theil Fellow with a $100K grant.  Recently, ICOs have been raising far more: Tezos ($222 million), EOS ($183 million), Bancor ($153 million).  These are challenging valuations to understand and rationalize, let alone respect.

 

An ICO can represent the issuance of tokens for different purposes, from different entities or as a subset to an existing entity. Some of the so-called organizations having ICOs are not entities in a traditional sense.  The DAO, for example, raised $120 million last year, but as their name implies, they are a Distributed Autonomous Organization, with no formal location or formal leadership.   It is no wonder that ICOs have become the focus of systemic sarcasm, with ICO offerings such as the Useless Ethereum Token, which “offers investors no value, so there will be no expectation of gains and Others like the FOMO coin also now exist (Fear of Missing Out).

 

Although innovation and creativity have made U.S. securities markets the best capital formation system in the world, careful and thoughtful government intervention from entities such as the SEC has ensured that U.S. markets also have the highest level of integrity and safety. Of course, the SEC should not discourage modernization or technological advances but it should ferret out the abuses while offering assistance and guidance to the pioneers of the securities markets. In that vein, purveyors of ICOs must provide the same customer protection’s and capital safeguards often taken for granted in the context of the traditional trading of securities, such as with a registered U.S. exchange.

 

My prediction is that in the coming year or two, the SEC will initiate a slew of ICO-related enforcement actions, perhaps even a sweep, where a multiple and variety of matters are all announced and filed at the same time, causing a virtual earthquake in the ICO industry.

 

What will follow in the short-run won’t be pretty – there will be some blood on the floor in the form of lost investments from good, honest wide-eyed investors who had tried to capitalize on the cryptocurrency phenomena.  But what will follow in the long-run (if possible) will be a more fulsome, more transparent, more reliable, more efficient and far healthier cryptocurrency marketplace.

 

It’s become fashionable of late to question the ability of federal regulators to enforce security statutes and regulations in the fast pace new medium of the Internet. Some have even gone so far as to give the SEC’s enforcement division it’s last rites. But reports of its death have been greatly exaggerated.

 

Historically, the federal securities laws have provided a flexible statutory basis for prosecuting a wide spectrum of offenses ranging from unlawful insider trading to fraud in the sale of certain derivatives to pay to play municipal bonds games. So it really comes as no surprise that the same laws will play such a prominent role in addressing ICO related securities activities.

 

By fully availing itself of a well-stocked statutory armory, the SEC will not only launch a counter-offensive against ICO frauds and regulatory violations, but will also shift the enforcement paradigm from reaction to prevention. Unlike the new cyber-threats of SQL injections, APT attacks and phishing schemes, ICO sponsors, promoters and affiliates actually provide enforcement staff with a cost-free, readily available and extraordinarily resplendent view into ICOs as they unfold, enabling, in many cases, the enforcement division to arrest violations before investors savings are lost.

 

Rather than create a new frontier for securities law violations, the Internet has for the first time in history put securities law violations in plain view, making culprits easier to surveil, easier to track, and ultimately, easier to catch. This may yet prove to be the most profound change brought by the Internet on the field of securities regulation. Far from tying regulators hands, the Internet has evolved into the virtual rope that many cyber wrongdoers use to hang themselves.

___________________

John Reed Stark is president of John Reed Stark Consulting LLC, a data breach response and digital compliance firm. Formerly, Mr. Stark served for almost 20 years in the Enforcement Division of the U.S. Securities and Exchange Commission, the last 11 of which as Chief of its Office of Internet Enforcement. He also worked for 15 years as an Adjunct Professor of Law at the Georgetown University Law Center, where he taught several courses on the juxtaposition of law, technology and crime, and for five years as managing director of a global data breach response firm, including three years heading its Washington, D.C. office. Mr. Stark is the author of, “The Cybersecurity Due Diligence Handbook.”