Among the many problems that have come to light in the current cryptocurrency craze have been problems relating to celebrity endorsements for initial coin offerings (ICO). In the following guest post, John Reed Stark, President of John Reed Stark Consulting and former Chief of the SEC’s Office of Internet Enforcement, reviews the highest profile examples of cryptocurrency celebrity endorsements, and then proposes a list of cryptocurrency caveats, for celebrities and for everyone else as well. A version of this article originally appeared on Cybersecurity Docket. I would like to thank John for his willingness to allow me to publish his article as a guest post on this site. I welcome guest post submissions from responsible authors on topics of interest to this blog’s readers. Please contact me directly if you would like to submit a guest post. Here is John’s guest post.
Floyd “Money” Mayweather is one of the greatest pound-for-pound boxers in history, while DJ Khaled is a brilliant musical artist and wildly popular Internet phenomenon. The two superstars actually have a lot in common. They are both: astute, accomplished and prosperous entrepreneurs; larger-than-life personas, with tens of millions of online followers and fans; and extraordinary success stories rooted in hard work, endless creativity and brilliant execution. But those are not the only traits they share.
They were also both apparently duped by a pair of cryptocurrency swindlers, proving that even notoriously savvy and internationally celebrated multi-millionaires need prudent counsel before making any foray into crypto-financing.
Last week the U.S. Securities and Exchange Commission (SEC) charged two co-founders of Centra Tech, Inc., (Centra) a purported financial services start-up, with orchestrating a fraudulent initial coin offering (ICO), a term that is meant to describe the offer and sale of digital assets issued and distributed on a blockchain, that raised more than $32 million from thousands of investors. Criminal authorities separately charged and arrested both defendants.
The SEC’s complaint alleges that Sohrab “Sam” Sharma and Robert Farkas, co-founders of Centra, masterminded a fraudulent ICO in which Centra offered and sold unregistered investments through a “CTR Token.” Sharma and Farkas allegedly claimed that funds raised in the ICO would help build a suite of financial products. They claimed, for example, to offer a debit card backed by Visa and MasterCard that would allow users to instantly convert hard-to-spend cryptocurrencies into U.S. dollars or other legal tender. In reality, the SEC alleges, Centra had no relationships with Visa or MasterCard. The SEC also alleges that to promote the ICO, Sharma and Farkas created fictional executives with impressive biographies, posted false or misleading marketing materials to Centra’s website, and paid celebrities to tout the ICO on social media.
Two of those celebrities, unmentioned and uncharged by the SEC, were apparently Floyd Mayweather and DJ Khaled, who each posted photos on social media platforms holding a Centra debit card, touting Centra’s credit card like service for the conversion of cryptocurrencies, such as bitcoin and ethereum, into U.S. dollars. It appears that Mayweather and Khaled did not take part in the scam and may have even been fooled themselves by the bold Centra con artists, who, in furtherance of their fraud, allegedly went so far as to create fake Centra biographies and bogus Centra LinkedIn profiles of fictional Centra executives.
“We allege that Centra sold investors on the promise of new digital technologies by using a sophisticated marketing campaign to spin a web of lies about their supposed partnerships with legitimate businesses,” said Stephanie Avakian, Co-Director of the SEC’s Division of Enforcement. “These and other claims were simply false.”
Ten Crypto-Financing Caveats
Clearly, Mayweather and Khaled could have used a lawyer who better understood the perils of crypto-financing, who might have warned them before they even considered, let alone touted and endorsed, Centra.
Along those lines, for any other celebrity (or anyone else) considering a cryptocurrency business deal, below are ten caveats Floyd Mayweather and DJ Khaled should have heard from their lawyers about the regulatory, law enforcement and other related concerns facing the growing caravan of cryptocurrency investors, issuers, promoters, exchange operators and the like.
- No matter what the nomenclature, cryptocurrency tokens will likely fall under SEC scrutiny, because the definition of security is extraordinarily broad with a presumptive, rich and storied history favoring SEC jurisdiction.
In a typical ICO, virtual coins or tokens are distributed by a company to the public in exchange for another cryptocurrency or fiat currency. These coins or tokens come with particular rights, such as: a right to access to a future service once the ICO is launched; a right to redeem the token for a currency or service; or a right to receive future profits from the company (like a dividend).
To determine how traditional securities regulation applies to ICOs, the SEC will undoubtedly apply the four-pronged Howey Test, derived from the 1946 Supreme Court decision in SEC vs. W.J. Howey Co., which states that a security is an investment contract in which a person 1) invests their money; 2) in a common enterprise; 3) with an expectation of profits; 4) based on the efforts of the promoter or a third party. In order to be considered a security, an offering must meet all four prongs.
Most token purchasers expect that they will earn a profit by selling their tokens once they appreciate in value. Rather than prospectuses, token issuers put out so-called “white papers” describing the platform, software or product they are trying to build, and then investors buy those tokens using widely-accepted cryptocurrencies (like bitcoin and ethereum) or fiat currencies like the U.S. dollar. These issuers also often employ a litany of promoters and facilitators to generate interest, excitement and participation in the ICO.
Historically, the courts and the SEC have taken an extremely broad view of whether any kind of investment is a security. Indeed, the definition of “security” under Section 2(a)(1) of the Securities Act of 1933 (and the nearly identical definition under Section 3(a)(10) of the Exchange Act of 1934) includes not only a number of specific types of financial instruments, such as notes, bonds, debentures and stock, but also broad categories of financial instruments, such as evidences of indebtedness and investment contracts.
Plainly crafted to contemplate not only known securities arrangements at the time – but also any prospective instruments created by those who seek the use of the money of others on the promise of profits — the definition of “security” is broad, sweeping, and designed to be flexible to capture new instruments that share the common characteristics of stocks and bonds.
Consider for example, so-called prime bank notes, which have been promoted for decades as sound and safe investments – but are instead bogus financial instruments purporting to derive their value from European secondary markets for stand-by letters of credit, a wholly fictional concoction.
In the seminal prime bank case SEC v. Lauer (1995), the purveyors of prime bank notes argued that the prime bank notes were not securities because they were wholly fictional. The 7th Circuit disagreed, noting that the so-called Howey Test did not require that the securities actually existed, but rather whether the investment, as described, had the characteristics of a security, highlighting just how broad the definition of security is.
The DAO 21(a) Report
With respect to ICOs, the critical area of inquiry for the SEC is whether investors were relying on the managerial efforts of others. On July 25, 2017, the SEC provided important initial guidance on its views of whether ICOs are securities when it released a Section 21(a) Report of Investigation on its findings regarding the token sale by The DAO.
The bottom line from the DAO 21(a) Report is that the SEC views ICOs as selling securities. In making this determination, the SEC focused on whether the efforts of others were “the undeniably significant ones … that affect the failure or success of the enterprise.” The SEC found that the so-called curators of the DAO played the requisite role. The curators held themselves out as experts in, among other matters, the blockchain protocol, determined which projects would be voted on by DAO Token holders, addressed security issues and more generally held itself out in marketing materials as a group that investors could rely on for their managerial efforts.
The SEC also concluded that the voting rights of the DAO Token holders were limited. In a critical sentence, the SEC noted: “[e]ven if an investor’s efforts help to make an enterprise profitable, those efforts do not necessarily equate with a promoter’s significant managerial efforts or control over the enterprise.” The SEC concluded that the voting rights of DAO Token holders was largely “perfunctory.” Since they could only vote on projects approved by the curators, token holders did not receive sufficient information to vote in a meaningful way, and there were no means to obtain additional information.
Equally important, the SEC also noted: that the widely dispersed DAO Token holders could not identify and effectively communicate with each other; that there was a large number of them; and that they could not be deemed to be in a position to effectuate meaningful control.
If the token offering is exempt from registration, the offering likely would need to be made to accredited investors, the tokens would be subject to limitations on resales or transfers, and any general solicitation would likely be prohibited. Regardless of whether the offering is registered or exempt, careful consideration would also have to be given to ensuring that prospective investors receive sufficient disclosure about the offering, including associated risks.
The SEC message to the purveyors of ICOs was clear: ICOs are very likely selling plain-old shares of stock fancifully masquerading as tokens — and their offer and sale would need to be registered under the Securities Act or qualify for an exemption from registration. As SEC Chairman Jay Clayton told the U.S. Senate Banking Committee Chairman, “merely calling a token a ‘utility’ token or structuring it to provide some utility does not prevent the token from being a security.”
In short, while it is an interesting academic exercise to debate the Howey test, the reality is that be it an Article III Judge or an SEC Administrative Law Judge, the SEC will be granted tremendous latitude with respect to its jurisdiction and betting against the SEC with a “not a security” defense would be a highly risky gamble. Along those lines, federal courts have already confirmed the SEC’s jurisdiction in the SEC’s crypto-related emergency asset freeze hearings where the issue was almost certainly considered and affirmed.
- The SEC’s and CFTC’s crypto-enforcement crackdown will be lengthy, robust and relentless.
SEC Chairman Jay Clayton formally launched his cryptocurrency regulatory efforts with a July 25, 2017 Investor Bulletin warning investors about ICOs and, issued that same day, a Report of Investigation pursuant to Section 21(a) of the Securities Exchange Act of 1934, explaining how ICOs are unlawful. During the ensuing months, SEC Chairman Clayton went on a crypto-tour asserting over and over again that cryptocurrency tokens in many cases looked like securities and were susceptible to fraud and chicanery by insiders, management and better-informed traders and market participants:
- On November 9, 2017, Speaking at an SEC Conference (“I have yet to see an ICO that doesn’t have a sufficient number of hallmarks of a security . . . there is also a distinct lack of information about many online platforms that list and trade virtual coins or tokens offered and sold in ICOs.”);
- On December 11, 2017, Issuing an official SEC “ Statement on Cryptocurrencies and Initial Coin Offerings” (“By and large, the structures of initial coin offerings that I have seen promoted involve the offer and sale of securities and directly implicate the securities registration requirements and other investor protection provisions of our federal securities laws.”); and
- On February 6, 2018, Testifying before the Senate Banking, Housing and Urban Affairs Committee(“I believe every ICO I have ever seen is a security . . . ICOs should be regulated like securities offerings. End of Story”).
The SEC even went so far as to turn the spotlight on celebrities running social media ICO promotions and endorsements, admonishing them (which, per Fortune Magazine, presumably included Floyd Mayweather and DJ Khaled, if they were listening) that they may run afoul of securities laws when advertising cryptocurrencies and other investments, including ICOs.
Any SEC historian would attest that rarely in its 84-year history has the SEC been so explicit and so recurring in the public expression of its warnings and rebukes. Clearly, issuing an ICO or operating a cryptocurrency exchange is a lightning rod for regulatory (especially SEC) scrutiny and law enforcement interest, and unless a crypto financier is prepared for an exhaustive, protracted, lengthy and expensive investigatory rectal exam, counsel would be wise to sound the alarm.
Similarly, the U.S. Commodity Futures Trading Commission (CFTC), the primary regulator of options, futures, commodities and other market derivatives, is also mobilizing rapidly to declare its jurisdiction and intention to enforce cryptocurrency regulation. Along those lines, the CFTC has issued several customer protection Fraud Advisories including its Customer Advisory: Risks of Virtual Currency Trading, which describes the risks of trading virtual currencies and warns customers about a number of virtual currency exchange scams.
The frequent crypto-coupling of the Chairman’s of the SEC and CFTC, from their co-authored op-ed piece to their joint congressional testimony to their joint statements, evidences an unprecedented level of collaboration and coordination.
Historically, the SEC/CFTC relationship has occasionally been a rocky one, laden with regulatory quibbling and even dislike. But with respect to crypto-financing, it is a virtual lovefest. The two agencies are working closely together, sharing information, developing mutually beneficial strategies and “carving up” jurisdiction with graciousness and mutual respect. This collaboration between the CFTC and SEC foretells a prolonged and coordinated federal response to ICOs, cryptocurrency exchanges and the like – and is clearly a cause for alarm.
- FinCEN’s AML requirements combined with state law money services business (MSB) licensing and bonding requirements not only create a hefty, burdensome and onerous federal and state regulatory burden and concern – they also enhance the risk significantly for any cryptocurrency firm.
Theoretically, anyone with an Internet connection and a digital wallet can be part of an ICO or cryptocurrency exchange – which, of course, opens the door for those with criminal motives. Given that cryptocurrency transactions are pseudonymous, encrypted and decentralized by nature, virtual currencies offer a convenient method of transferring funds obtained from illegal activities without an audit trail, thereby making it harder for any central authority or law enforcement agency to track each of the transactions made, and to identify the individuals behind any of them. On the other hand, transactions involving traditional financial firms, such as banks, brokers and dealers, and money service businesses, are subject to strict U.S. anti-money laundering laws and regulations aimed at detecting and reporting suspicious activity, including money laundering and terrorist financing, as well as securities fraud and market manipulation.
Not surprisingly, the notion of terrorists and criminals being able to launder money anonymously has not escaped the attention of U.S. law enforcement agencies, who have vowed to crack down on the virtual currency exchanges who serve criminals, even those operating outside the United States. Along those lines, the U.S. Department of Justice (DOJ), acting in cooperation with the Financial Crimes Enforcement Network (FinCEN), has become increasingly active in policing criminals exploiting cryptocurrencies, leveraging AML statutes and regulations as the preferred statutory prosecutorial weapon.
For instance, as far back as 2015, in addition to being charged for conspiracy to commit bank fraud and conspiracy to obstruct an examination of a financial institution, Anthony Murgio, a Bitcoin exchange operator, also pled guilty to operating as a money transmitter without a license, and was sentenced to 5 ½ years in prison. Federal prosecutors alleged Murgio and his co-conspirators benefitted from transactions providing victims with Bitcoin to pay off ransomware demands. The indictment states:
“As part of the unlawful Coin.mx scheme, Anthony P. Murgio, the defendant, and his co-conspirators knowingly processed and profited from numerous Bitcoin transactions conducted on behalf of victims of ransomware schemes . . . By knowingly permitting ransomware victims to exchange currency for Bitcoins through Coin.mx, Murgio and his co-conspirators facilitated the transfer of ransom proceeds to the malware operators while generating revenue for Coin.mx.”
Not just a part of the ransomware payment process, Murgio allegedly facilitated the ransomware transactions with unclean hands – possessing the kind of nefarious intent required for money laundering criminal liability, which is probably why the Murgio prosecution also addresses AML liability. Specifically, the issues relate to the failure of Murgio and his cohorts to:
- Register with the Financial Crimes Enforcement Network (FinCEN);
- Maintain an effective AML program;
- Comply with AML record-keeping requirements; and
- File with FinCEN Suspicious Activity Reports(SARs) regarding customers who use cryptocurrencies for nefarious purposes.
The Murgio indictment also alleges that Murgio and another defendant had undue influence on a federally insured credit union that handled the exchange’s banking operations for a period of time, and that they tried to “trick” major financial institutions about the nature of their business. The Murgio defendants allegedly exchanged at least $1.8 million bitcoins for cash for certain customers who claimed they were ransomware attack victims needing bitcoins to “pay off” ransomware attackers.
FinCEN, MSBs and Cryptocurrency
MSBs have been required to register with FinCEN since 1999, when the MSB regulations first went into effect. MSBs have historically been recognized by FinCEN to include: (1) currency dealers or exchangers; (2) check cashers; (3) issuers of traveler’s checks, money orders, or stored value; (4) sellers or redeemers of traveler’s checks, money orders, or stored value; and (5) money transmitters.
An entity acting as an MSB that fails to register (by filing a Registration of Money Services Business (“RMSB”), and renewing the registration every two years per 31 U.S.C. § 5330 and 31 C.F.R. § 1022.380), is subject to civil money penalties and possible criminal prosecution.
The registration of the MSB serves as a first step in establishing the compliance framework for applicable FinCEN regulations designed to help mitigate the risks of criminal abuse of MSBs for money laundering and terrorist financing as the MSB seeks to provide financial services to customers for legitimate purposes. There is no cost for registration, which is a simple procedure explained in detail on FinCEN’s website.
The BSA and its implementing regulations require an MSB to develop, implement and maintain an effective written AML program that is reasonably designed to prevent the MSB from being used to facilitate money laundering and the financing of terrorist activities. For ICOs and cryptocurrency exchanges, this would require, among other things, meticulously recording transactions; definitively knowing who customers are; and reporting suspicious activity to law enforcement.
FinCEN’s MSB Expansion
Recently, FinCEN has begun to expand its definition of an MSB even further, to include not only virtual currency exchanges but also cryptocurrency platforms which act as enablers/ financial intermediaries for criminal schemes.
For instance, in a July 2017 AML enforcement action, FinCEN, in a joint prosecution by the U.S. Attorney’s Office for the Northern District of California, assessed a $110 million civil money penalty against BTC-e a/k/a Canton Business Corporation (BTC-e) for willfully violating U.S. AML laws. Russian national Alexander Vinnik, one of the operators of BTC-e, was also arrested in Greece, and FinCEN assessed a $12 million penalty against him for his role in the violations.
BTC-e is an Internet-based, foreign-located money transmitter that exchanges fiat currency as well as the convertible virtual currencies Bitcoin, Litecoin, Namecoin, Novacoin, Peercoin, Ethereum, and Dash. By volume, BTC-e is one of the largest virtual currency exchanges in the world. In so doing, the exchange facilitated numerous transactions connected to a variety of criminal activities ranging from illegal drug sales on dark web markets like Alpha Bay to public corruption.
FinCEN asserted jurisdiction because BTC-e conducts business as an MSB in substantial part within the United States (including $296 million of U.S. customer transactions through U.S servers.) The BTC-e FinCEN action marks just the second case by FinCEN involving a cryptocurrency exchange and the first FinCEN action against a foreign-based exchange that did substantial business in the United States.
In announcing the AML fines and prosecutions, Jamal El-Hindi, then Acting Director for FinCEN, stated:
“We will hold accountable foreign-located money transmitters, including virtual currency exchangers, that do business in the United States when they willfully violate U.S. anti-money laundering law. This action should be a strong deterrent to anyone who thinks that they can facilitate ransomware, dark net drug sales, or conduct other illicit activity using encrypted virtual currency. Treasury’s FinCEN team and our law enforcement partners will work with foreign counterparts across the globe to appropriately oversee virtual currency exchangers and administrators who attempt to subvert U.S. law and avoid complying with U.S. AML safeguards.”
FinCEN has also expanded upon its 2013 FinCEN guidance, taking the position that under existing FinCEN rules and interpretations, a developer that sells convertible currency including in the form of ICO coins or tokens, in exchange for another type of value that substitutes for currency, is a money transmitter. Money transmitters must comply with the BSA and its implementing regulations issued by FinCEN that apply to MSBs.
Key AML/Crypto Caveats
Some key AML/crypto caveats are as follows:
By becoming increasingly sophisticated at coopting a cryptocurrency network to establish an AML jurisdictional nexus, FinCEN and DOJ have laid the groundwork to link and prosecute both the masterminds and the foot soldiers of unregistered ICOs and cryptocurrency exchanges;
The SEC has become increasingly aggressive in its policing of ICOs, but now, with FinCEN clearly entering the fray, ICOs are in for an even rougher ride, which will translate into more cryptocurrency investigations and prosecutions. If what FinCEN is saying holds merit, anyone who sells tokens to U.S. residents while, at the same time, failing to register with FinCEN as an MSB and failing to perform the “Know Your customer” (KYC) and AML compliance obligations, could also face several years in prison under a felony conviction. Employees and investors of ICO companies and cryptocurrency exchanges could be held criminally liable, too. Worse, the federally related offense of wire fraud, which includes sending money over the Internet to avoid reporting requirements, could even be bootstrapped to the AML and KYC charges;
- FinCEN is actively mining BSA data to develop leads on cyber threats who may be involved in ICOs and cryptocurrency exchanges, and coordinating with an alphabet soup of criminal investigative agencies by sharing critical analytics and by providing tactical and strategic intelligence reports associated with these threats;
- S. regulators and prosecutors could take action against persons or entities associated with an ICO or cryptocurrency exchange under the auspices that they are MSBs who fail to keep BSA/AML controls or know their customers – or even for avoiding or neglecting reporting requirements or not properly registering as money transmission businesses (like Murgio);
- When an offshore person or entity intentionally and maliciously participates and profits within the financial machinations of a ransomware scheme (such as the alleged money laundering by BTC-e and its senior management via a cryptocurrency exchange), a company or person’s location overseas is not necessarily a defense to AML charges;
- AML rules and regulations also could affect the sponsor of a token offering or token exchange indirectly to the extent it relies on banks, exchanges or other financial institutions for clearing, settlement, custody, or other functions; and
- Anyone involved with ICOs and cryptocurrency exchanges should carefully review FinCEN’s guidance on the Application of FinCEN’s Regulations to Persons Administering, Exchanging, or Using Virtual Currenciesand obtain compliance advice and counsel when necessary. If cryptocurrency exchanges conduct business with shady characters, their actions could nonetheless raise AML red flags by facilitating such transactions.
Given the typically suspicious and often international nature of cryptocurrency transactions, meeting AML requirements will be challenging; will require a massive compliance infrastructure; and will create many anticipated and unanticipated consequences. Meanwhile, MSB regulation is state-based – with each state promulgating its own priorities and requirements ranging from record-keeping and bonding to audits and reporting.
Indeed, only a few months ago, in January 2018, New York State Financial Services Superintendent Maria T. Vullo announced that Western Union agreed to pay a $60 million fine as part of a consent order with the New York State Department of Financial Services (DFS) for violations of New York Bank Secrecy Act (BSA) and AML regulations. An investigation by DFS found that Western Union failed to implement and maintain an anti-money laundering compliance program to deter, detect and report on criminals’ use of its electronic network to facilitate fraud, money laundering and the illegal structuring of transactions below amounts that would trigger regulatory reporting requirements.
Superintendent Vullo stated at the time:
“Western Union executives put profits ahead of the company’s responsibilities to detect and prevent money laundering and fraud, by choosing to maintain relationships with and failing to discipline obviously suspect, but highly profitable, agents. DFS will not tolerate unlawful activity that undermines anti-money laundering laws and endangers the integrity of our financial system.”
Clearly, the noxious mix of AML and MSB federal and state regulatory requirements not only creates a foggy, deadly compliance labyrinth for any cryptocurrency firm – but is also replete with risk.
- Section 17(b) of the Securities Act of 1933 is a strict liability securities fraud.
ICO promotional efforts, whether conducted via social media outlets, YouTube campaign or just a megaphone, all raise serious concerns about possible securities violations of Section 17(b) of the Securities act of 1933.
Section 17(b) prohibits the publication of paid for descriptions of securities without full disclosure of the compensation arrangement. This prophylactic measure was “particularly designed to meet the evils of the tipster sheet, as articles in newspapers or periodicals that purport to give an unbiased opinion but which opinions in reality are bought and paid for.”
Prior to the Internet era, section 17(b), unchanged from its enactment in 1933, with no rules or regulations ever promulgated thereunder, served the SEC as the legal basis to combat touting fraud in a variety of mediums, including brochures, newsletters, and radio talk shows – wherever touters attempted to disguise their paid promotions as independent, objective analysis.
In the early 1990s, as the Internet begin to evolve into an important tool for investors, unlawful touting spread to every corner of cyberspace, including websites, newsletters, spams (electronic junk mail), and then online message boards, discussion forums and now, social media.
The SEC first acted upon trending unlawful Internet investment promotions with several enforcement actions brought between 1996 and early 1998. But despite the SEC’s efforts, the practice continued to proliferate, prompting the SEC to take even stronger action in several Internet “sweeps,”, one in October 1998 and another in February 1999. These coordinated 17(b) roundups, led then by the SEC’s Office of Internet Enforcement consisted of more than 25 separate enforcement actions against more than 50 individuals and companies, garnering tremendous publicity at the time, and virtually eliminating the unlawful promotion practice entirely, while simultaneously stunting the growth of unlawful securities offerings as well.
If an ICO involves any kind of paid promoter, without appropriate disclosure, the ICO will be violating Section 17(b), which is a strict liability statute. This means that a 17(b) violation does not require a finding of fault (such as negligence or tortious intent). The SEC need only prove that the ICO promotion occurred without the proper disclosure and that the defendant was responsible.
- The dark side of cryptocurrency will continue to attract increased attention to, and scrutiny of, ICO promoters and cryptocurrency exchange operators.
The underlying product of ICOs and crypto-exchanges is not a harmless product like Pokémon cards, Jordan sneakers or some other appreciating and collectable chattel. Rather, ICO tokens represent a pseudo-anonymous virtual currency which has unfortunately evolved into the payment mechanism of choice for unlawful transactions – from buying a fake I.D. or a bottle of opiates, to receiving a cache of credit card numbers or stolen identities, to collecting a ransomware payment demand or even for funding terrorist-related activities.
Slowing the growth of this unlawful behavior is a notion that appeals not just to market participants, but also to the myriad of victims of crypto-funded ransomware, terrorism, drug dealing and the like. The government, in particular FinCEN, is acutely aware of the dark side of cryptocurrency use – and newly appointed FinCEN director Kenneth Blanco, a former U.S. Department of Justice AML expert, who has testified before Congress about the threat of virtual currencies, has dedicated increasing resources along those lines.
- The SEC has allocated of significant, specialized and dedicated resources to ICOs, cryptocurrency exchanges and the like.
In late September 2017, just a few months after the DAO 21(a) Report and the SEC ICO Investor Bulletin, the SEC announced the formation of a new cyber unit to target violations involving distributed ledger technology and ICOs as part of a new effort to fight cybercrime. The new cyber unit is also chartered specifically to pursue “misconduct perpetrated using the dark web,” where bitcoin and other cryptocurrencies are used to pay for illicit goods.
Separate from the cyber unit, the SEC also created a retail strategy task force that will “develop proactive, targeted initiatives to identify misconduct impacting retail investors.” While this task force’s mission was not described as specifically aimed at the crypto space, ICOs and cryptocurrency exchanges are clearly one of its targets, especially given the explosive interest in crypto investments by traditional retail investors. This new team will “apply the lessons learned from [past securities fraud] cases and leverage data analytics and technology to identify large-scale misconduct affecting retail investors.”
This is not the first time the SEC has established a specialized unit to manage cyber-crimes. From 1998 – 2009, before being merged with the SEC’s Office of Market Intelligence, the SEC created the Office of Internet Enforcement (OIE), the SEC’s first specialized cyber group. OIE led a broad range of SEC enforcement actions, initiatives and investigations, many filed parallel to criminal prosecutions. The original cyber group faced a similar threat in the form of unlawful offerings conducted via the Internet and came out swinging against those frauds, leading five Internet fraud sweeps in its first two years.
The new cyber group also swallowed up the SEC’s Distributed Ledger Technology Working Group, naming its leader as one of its assistant directors. Moreover, two assistant directors within the new cyber group were actually members of the original OIE, which adds an extraordinary and immediate level of experience and expertise to the new cyber group’s ranks.
Clearly, ICOs and other cryptocurrency issues will be the primary focus of this new cyber group, and if history is at all telling, conducting crypto-related sweeps will be among the re-activated cyber group’s early prosecutorial maneuvers. Given the SEC’s formation of its own specialized squadron, whose main purpose every day is to investigate and prosecute crypto-related financiers, ICO purveyors and cryptocurrency exchanges should clearly be sounding the alarm.
- Do not ignore the most powerful player in the cryptocurrency regulatory process – Congress.
The recent ransomware attack on the city of Atlanta crippled several city online services. Atlanta’s municipal court could not see cases; its residents could not pay bills online; and its police officers were writing reports and booking inmates by hand. The attackers demanded a bitcoin payment to prevent future attacks and to remedy the current one. The perils resulting from cryptocurrency use will only become worse – and when lives are lost, such as during a ransomware attack upon a hospital, Congress will act, creating more regulation and putting more pressure upon law enforcement and regulatory agencies to take action.
For example, when it comes to crypto-regulation, SEC Chairman Clayton’s leading supporter on Capitol Hill is none other than Senator Elizabeth Warren. Yes, that Senator Warren, the one who opposed Chairman Clayton’s nomination and who typically combats most everything any Republican in Washington, D.C. has ever wanted to do.
Senator Warren sits on the U.S. Senate Banking Committee and the affection between the two during a recent crypto-related hearing was as remarkable as it was uncomfortable. Witness this awkward exchange:
Senator Warren: “In 2017, companies raised more than $4 billion in ICOs. How many of those ICOs registered with the SEC?”
Chairman Clayton: “Not one.”
Senator Warren: “As of today, how many companies have registered for upcoming ICOs?”
Chairman Clayton: “Not one.”
Senator Warren: Why?
Chairman Clayton: “. . . What ICOs do is they take the disclosure-like benefits of a private placement and then add to it the public general solicitation and retail investor promise of a secondary market without registering with us. And folks somehow got comfortable that this was new, and it was OK and it was not a security and just some other way to raise money. Well, I disagree.”
Senator Warren: “So it is new, but it’s not OK, and it’s not another way to raise money?’
Chairman Clayton: “Correct.”
Senator Warren concluded her questioning with a wry smile, complimenting Chairman Clayton and wishing him luck with his crypto-offensive. Sooner rather than later, Congress will inevitably become increasingly engaged and ramp up its efforts to police crypto-financiers.
- Crypto-currency related prosecutions are typically simple cases that can be investigated over a weekend – and ready for prosecution on Monday.
Any former SEC enforcement lawyer will attest that crypto-related cases are typically not difficult, cumbersome or costly to investigate – and do not require much in terms of resources. Here’s why:
Cryptocurrency-related investigations are not like accounting frauds, market manipulations or complex insider trading cases, requiring extensive review of financial statements, audit trails and/or market data. Nor do crypto-related investigations typically require the conducting of intense financial or digital forensics; lengthy document reviews; and/or multiple testimonial proceedings. Instead, crypto-related investigations actually require scant evidence gathering.
In fact, the Internet provides SEC staff a glimpse into cryptocurrency exchange operations and ICO promotions as they unfold without ever using a subpoena. This has proven to be the most profound change wrought by the Internet in the field of securities regulation. Far from tying regulators hands, the Internet has become the virtual rope that many cyber thieves use to hang themselves. Moreover, unlike hackers trying to tamper with the energy grid or clandestinely trying to intrude into the computer networks of public companies, cryptocurrency financiers want to be found. They require a wide audience to review their information, invest in their offering or participate in their exchange. Rather than hide amid the unseen underbelly of the Internet, ICO promoters and cryptocurrency exchange operators peddle their services in plain view 24–7 — and can be actively observed from virtually anywhere on the planet.
Relatedly, outside of fraud claims, most SEC crypto-related violations are strict liability, requiring little in the way of scienter, conspiracy or even motive. Simply stated, as a matter of law, every securities offering is either registered, exempt or unlawful – regardless of what anyone in the process honestly believes or testifies.
- ICO investors may be entitled to a refund of their investment, creating tremendous upward liability for their promoters.
Purchasing an investment is not like buying a pair of shoes at Zappos. You can’t return the investment for a refund if you don’t like the fit. That is, unless you bought tokens in an ICO. ICO token purchasers may indeed have the right to a full refund, and perhaps even more.
Issuers, promoters, curators, sponsors, facilitators, so-called “finders,” investment banks, law firms, affiliates and anyone else connected to ICOs should be on notice. Thanks to a range of U.S. securities statutes, rules and regulations, ICO token subscribers may have so-called “rescission rights.”
Rescission rights essentially amount to a “put option for an ICO investment i.e. ICO token purchasers would have the right to sell their tokens back to ICO sponsors and obtain a full refund, plus interest from the company and sometimes its officers and directors. It all boils down to a fairly straightforward legal analysis:
- Even if an ICO is somehow SEC-registered or structured somehow to be SEC-exempt, the ICO is still likely offering what the law would deem “securities;”
- Anyone connected to an ICO who is marketing securities (who for example is receiving any form of transaction-based compensation) must be registered with the SEC as a broker-dealer;
- If there is any unregistered person or entity connected to the ICO and marketing the ICO, then the unregistered broker-dealer actions have permanently and irrevocably tainted the ICO; and
- Once an ICO becomes irrevocably and permanently tainted, per SEC rules and regulations, investors are entitled to rescission, that is, a refund of their initial investment.
In short, for anyone who loses money in an ICO, ICO promoters, issuers and others involved in the ICO process could be compelled to return investor proceeds that may have already been spent.
- For the legal team counseling crypto-finance players, here is one caveat for you: Watch your back.
SEC Chairman Jay Clayton recently gave an extraordinary speech at the 2018 Securities Regulation Institute in Washington, D.C., adding a new twist to his crypto-combat plan – hit the lawyers involved, and hit them hard. In one fell swoop, Chairman Clayton moved law firms and attorneys, whom he expects to serve as “gatekeepers” connected to ICOs and cryptocurrency exchanges, to front and center on the SEC’s radar.
By providing the kind of legal advice that can land a client into the SEC’s investigative, regulatory and prosecutorial crosshairs, or even worse, into the crosshairs of criminal investigators and prosecutors, lawyers now risk more than just their reputations and livelihoods. Per Chairman Jay Clayton, lawyers risk being investigated or prosecuted right beside their crypto-clients, no matter what the lawyer’s defense and no matter how much the lawyer’s good faith.
ICO promoters, cryptocurrency exchange operators and all of the other cryptocurrency financiers aboard the cryptocurrency bandwagon are in trouble. A recent bulletin from the eminent law firm Arnold & Porter sums this notion up perfectly:
“If there was ever a regulatory grace period for virtual currencies and blockchain technology, it is officially over. Five federal regulators—The Financial Crimes Enforcement Network of the US Treasury Department (FinCEN), the Securities and Exchange Commission (SEC), the Commodity Futures Trading Commission (CFTC), the Internal Revenue Service (IRS) and the Office of Foreign Assets Control (OFAC)—all recently issued statements or took actions in which they clarified their positions on the scope of their jurisdiction over multiple aspects of virtual currency and certain types of blockchain enterprises. State, foreign and multilateral regulators have also taken actions to reign in virtual currencies. Companies and investors that are now working with these technologies, or that are exploring how they might fit into their existing business strategies, must be ready to justify their activities on a comprehensive basis from regulatory, compliance, tax and business perspectives.”
Yet, according to Coinschedule, in 2017, issuers raised $3.88 billion through 210 ICOs, but in just the first three months of 2018, issuers have already raised $4.9 billion in 158 ICOs. Of the total of nearly $8.8 billion raised in ICOs in 2017 and so far in 2018, $6 billion was raised just in the fourth month period from December 2017 to the end of March. In other words, the growth of ICOs has simply been astonishing.
Perhaps the cryptocurrency token excitement relates to public fascination and obsession with blockchain – the technology underlying cryptocurrency — which many experts portend to be a global financial game-changer, greatly accelerating payments, increasing transparency and fostering principal-to-principal transactions. Indeed, some predict that blockchain technology may very well be the greatest disruptive and productivity-enhancing economic development in history.
Or perhaps the reason is far simpler: cryptocurrency tokens are simply too tantalizing to resist for accepting investors seeking the latest opportunity to get rich quick.
Under any circumstance, celebrities like Floyd Mayweather and DJ Khaled (and anyone else interested in cryptocurrency financing) require wise counsel before they become entangled in crypto’s ethereal and cybernetic financial products. The actions of federal and state regulators and law enforcement have had, and will continue to have, significant implications for crypto-industry players and wannabes.
Although both Mayweather and Khaled appear to have dodged a bullet – other crypto-dupes might not be so lucky. As famed former SEC Enforcement Director and former U.S. District Court Judge Stanley Sporkin has always said: If you lie down with dogs, you get flees. By earnestly communicating these ten simple, plain and straight-forward crypto-caveats, lawyers can mind Judge Sporkin’s prescient admonition, and may actually prevent future client crypto-infestations.
John Reed Stark is president of John Reed Stark Consulting LLC, a data breach response and digital compliance firm. Formerly, Mr. Stark served for almost 20 years in the Enforcement Division of the U.S. Securities and Exchange Commission, the last 11 of which as Chief of its Office of Internet Enforcement. He has taught most recently as Senior Lecturing Fellow at Duke University Law School Winter Sessions and will be teaching a cyber-law course at Duke Law in the Spring of 2019. Mr. Stark also worked for 15 years as an Adjunct Professor of Law at the Georgetown University Law Center, where he taught several courses on the juxtaposition of law, technology and crime, and for five years as managing director of global data breach response firm, Strop Friedberg, including three years heading its Washington, D.C. office. Mr. Stark is the author of, “The Cybersecurity Due Diligence Handbook.”