Joint Statement on Cryptocurrency Enforcement

A joint statement on cryptocurrency enforcement by the SEC and CFTC Enforcement Directors:

When market participants engage in fraud under the guise of offering digital instruments – whether characterized as virtual currencies, coins, tokens, or the like – the SEC and the CFTC will look beyond form, examine the substance of the activity and prosecute violations of the federal securities and commodities laws.

The Divisions of Enforcement for the SEC and CFTC will continue to address violations and to bring actions to stop and prevent fraud in the offer and sale of digital instruments.

http://www.cftc.gov/PressRoom/PressReleases/mcdonaldstatement011918

Chino v. N.Y. Dep’t Fin. Servs., 2017 NY Slip Op. 51908 (U) (N.Y. S. Ct. Dec. 21, 2017)

Chino v. N.Y. Dep’t Fin. Servs., 2017 NY Slip Op. 51908 (U) (N.Y. S. Ct. Dec. 21, 2017) [Link]

Summary: Applicant for N.Y. Bitcoin license challenged the constitutionality and enforcement of the state’s licensing law. Suit dismissed for lack of standing.

Facts:

  • [P]ursuant to 23 NYCRR § 200.3 (a), anyone engaged in virtual currency business activity must first obtain a license.
  • [P]etitioner intended to set up a business in New York that was to install Bitcoin processing services in bodegas in New York State.
  • Petitioner applied for a Virtual Currency Business license on behalf of LTD on August 7, 2015. Petitioner annexes a copy of the application as Exhibit IX to his petition. He provided the name but not the address of LTD. He did not provide an authorization as required by 23 NYCRR § 200.3 (a) (3); instead, he wrote on the form that he did not authorize the release of information. He filled out some but not all financial information on the form requested, and he indicated that he had no insurance and kept no financial or accounting books. For his background report certification, he wrote: “[Could] not obtain in time.” He filled out a personal information form but he refused to disclose his employment history for the last fifteen years, and he did not provide the names and addresses of past employers. He did not disclose whether he was employed by, performed services for, or had business connections with any agency or authority of the State of New York, or any institutions subject to DFS supervision. He stated he had no financial interest in any agency or authority in New York or any other state. He provided none of the required references. He stated that his high school, college, and professional or technical school information was not applicable. He refused to disclose his social security number. Along with his application, he submitted a handwritten letter which requested a waiver of the $5,000 application fee based on his characterization of the size of the business, its budget, and its financial status.
  • Petitioner initiated this proceeding, pro se, on October 16, 2015, before he received any response from DFS; he states that he did so because he realized “he would be required to incur expenses beyond his means to comply with the burdensome compliance costs under the Regulation” (Petition, ¶ 91).
  • On January 4, 2016, DFS returned his August 7, 2015 application without processing it. The letter states that DFS could not evaluate the application because it contained “extremely limited” information and, among other things, did not describe the business in which LTD was or would be engaged and did not specify in what respect, if any, the business involved virtual currency (DFS Jan. 4, 2016 letter [Exh. XI to Petition]). The letter explained that because of this DFS could not determine whether LTD was a virtual currency business subject to the regulations.

Issues, Holdings, and Discussion:

  1. Does a petitioner who submitted an incomplete application for a N.Y. Bitcoin license, failed to follow up when DFS stated it was unable to process the application, and could not show losses due to licensing have standing to challenge the licensing regulations? No:

Petitioner did not complete LTD’s application, and did not respond to DFS’ January 2016 letter which notified him of his failure to do so. Petitioner acknowledges that he abandoned the application process because of the pendency of this hybrid action/proceeding challenging the regulation (Chino Aff. in Opp. To Cross-Motion, at ¶ 16). CPLR § 7803 provides a petitioner with a means to challenge “whether a determination was made in violation of lawful procedure, was affected by an error of law or was arbitrary and capricious or an abuse of discretion” (CPLR § 7808 [3]). Moreover, “one who objects to the acts of an administrative agency must exhaust available administrative remedies before being permitted to litigate in a court of law” (DiBlasio v Novello, 28 AD3d 339, 341 [1st Dept 2006] [citations and internal quotation marks omitted]). Courts cannot “interject themselves into ongoing administrative proceedings until final resolution of those proceedings before the agency” (Id.). In the proceeding at hand, DFS did not reach a final decision. Indeed, it did not reach any decision. Accordingly, there is nothing for this Court to review.

The Court notes that an exception exists to the exhaustion requirement when the action “is challenged as either unconstitutional or wholly beyond its grant of power, when resort to an administrative remedy would be futile or when its pursuit would cause irreparable injury” (Martinez 2001 v New York City Campaign Finance Bd.,36 AD3d 544, 548 [1st Dept 2007]). The exception does not apply in this instance. Again, petitioner’s failure to complete his application precludes him from raising this argument. Because of his failure, the agency did not take any action — constitutional or otherwise, and neither within nor exceeding its grant of power. The DFS letter stating more information was necessary is not an action or decision within the meaning of the governing law. Instead, it is the legislation itself that petitioner challenges here. Any irreparable injury petitioner alleges is a result of the underlying law and not of any agency action.

Moreover, even if an ultra vires or unconstitutional action were at issue, petitioner has not shown that DFS has caused it irreparable harm. LTD’s tax returns show three-and-a-half years of losses prior to the initiation of this action, and show comparable losses in 2014 — prior to the existence of the regulation — due to ongoing operation expenses.

. . . .

Next, the Court examines the question of whether petitioner has standing to challenge the constitutionality of the regulation. This presents a much closer issue than that of his Article 78 proceeding. To establish standing, a plaintiff must show injury in fact, which, “[a]s the term itself implies, . . . must be more than conjectural” (Quast v Westchester County Bd. of Elections, 155 AD3d 674, 674 [2nd Dept 2017]). In addition, the plaintiff must establish that he or she falls within the zone of interest which the regulation impacts (See id.). Moreover, “personal disagreement and speculative financial loss are insufficient to confer standing” (Roulan v County of Onandaga, 21 NY3d 902, 905 [2013] [rejecting plaintiff’s standing argument that he sustained financial harm because challenged plan caused him to be assigned fewer criminal cases]; see New York State Psychiatric Assoc., Inc. v Mills, 29 AD3d 1058, 1059 [3rd Dept 2006] [asserted financial harm to psychiatrists was speculative]).

. . . .

[P]etitioner did not apply for certification,[8] and has not shown sufficient economic loss. Any argument as to the $5,000 application fee was waived because petitioner did not pay the fee or pursue the application. His economic loss argument is otherwise insufficient because LTD has never made a profit and petitioner showed proof of only one $279.41 sale. Moreover, its losses in 2016, once petitioner thought LTD was subject to the regulation, are not inconsistent with LTD’s prior financial history.

Comments:

  • Standing and similar doctrines make it difficult to challenge government actions in all areas. Challenges to cryptocurrency regulations are no different and will need to be carefully tailored – with appropriate case “vehicles” – or they will be dismissed.

Kidnapped Crypto Executive Ransomed

A reminder, if any was needed, that the skyrocketing value of cryptocurrency makes major holders vulnerable:

Armed gang members kidnapped a top executive at U.K.-registered cryptocurrency exchange Exmo Finance this week and only released him after they were paid a $1 million equivalent ransom in bitcoins, the Financial Times reported.

https://gizmodo.com/kidnapped-crypto-exchange-executive-reportedly-paid-1-1821658250

Munchee ICO

Today the SEC announced a consent agreement with Munchee to refund investments in the Munchee ICO. I’ll do a deeper dive into the consent decree in the near future, but for now it’s worth noting how steadily the SEC is ramping up its enforcement strategy. Just a few months ago, the SEC was making phone calls to companies with ICOs, the companies were conducting voluntary returns, and they never heard from the SEC again. Now the SEC is demanding consent agreements – and the necessary but expensive legal advice that comes with entering into them – before it will let a company slip the bit. Everyone that has run an ICO or is thinking about running an ICO should be paying very close attention. And while I am admittedly biased, they should be retaining legal counsel now.

SEC Files Charges Against PlexCorps

The SEC Cyber Unit has filed charges in its first case, claiming that PlexCorps defrauded ICO investors:

The Securities and Exchange Commission’s new Cyber Unit has filed its first charges since being formed in September. The unit’s case is being brought against a company called PlexCorps, its founder Dominic Lacroix and his partner Sabrina Paradis-Royer and the SEC claims that Lacroix and Paradis-Royer were actively defrauding investors. PlexCorps was engaged in an initial coin offering (ICO) — which was selling securities called PlexCoin — that had already raised around $15 million since August and it was fraudulently promising that investors would see a 13-fold profit in just under one month. The SEC obtained an emergency asset freeze to halt the ICO.

(https://www.engadget.com/2017/12/04/sec-cyber-units-first-charges-cryptocurrency-fraud/)

Interestingly, this is a straight fraud case, not a claim that PlexCorps is offering securities without a license.  No Howey test, no debate over whether this is a security or a utility token. Just a straight claim that PlexCorps lied and made money from it.  The Complaint is here: https://www.sec.gov/litigation/complaints/2017/comp-pr2017-219.pdf

One gets the sense that the SEC is ramping up.  First warnings and guidance, now fraud cases, and soon unregistered securities offerings.

Parity Wallet Failure

Amy Wan discusses the Parity Wallet failure here and describes a new SDK that she is rolling out that will offer insurance against similar failures by future smart contracts.  One important point is her list of potential failure points for smart contracts, a set of points I agree with:

  • smart contracts may contain coding errors (and many developers write code using a fail fast and iterate mentality)
  • smart contracts may contain vulnerabilities easily exploited by hackers
  • smart contracts may not accurately reflect the intent of parties
  • contracting parties may change their mind and wish to amend, modify, or terminate the contract due to misrepresentation, mistake, duress, impossibility, or a change in circumstance
  • external data sources, such as other contracts or oracles may provide incorrect data

There are many ways to minimize exposure here. Code audits are a must, particularly for significant, multi-use libraries. Building in failsafes – like Amy’s SDK or other tools – is also prudent. And linking to multiple external oracles with sanity checking for the inputs is likewise necessary.

Third-Party Risk With Parity Wallet Failure

Earlier this week, popular Ethereum wallet Parity was either hacked or unintentionally damaged, leading to the loss of approximately $300M in Ether.  (While the actions that led to the loss are clear, the responsible party’s intent has not been firmly established.)

This article provides a good summary: https://www.theguardian.com/technology/2017/nov/08/cryptocurrency-300m-dollars-stolen-bug-ether

Essentially, a bug in the Parity multi-signature wallets allowed a coder to take ownership of the entire multi-signature wallet structure at its root.  When the coder the deleted that code – ostensibly in an effort to undo his actions in taking ownership and return the wallets to their true owners – he actually deleted the code that allowed the multi-signature wallets to operate at all.

Core Ethereum developers have reviewed the issue and concluded that only a hard fork will fix the problem.  But Ethereum’s DAO hard fork led to the permanent creation of the ETH / ETC split.  And the Parity wallets at issue compose a much smaller part of the Ethereum market cap than DAO did.  A hard fork seems unlikely.

One of the biggest advantages of cryptocurrency is its ability to be held by anyone and accessed anywhere at anytime.  Parity, a widely Ethereum wallet, has just lost its users hundreds of millions of dollars.  Individuals holding cryptocurrency should seriously consider moving their assets to hardware wallets like Trezor or Ledger.  Companies holding cryptocurrency should seriously consider developing their own, in-house, thoroughly audited solution.  (Thanks to QE partner and former SEC Chief of Staff Michael Liftik for pointing out this important aspect of the article.)