Earlier this year, the U.S. Department of Justice (“DOJ”) released its highly anticipated Cryptocurrency Enforcement Framework (the “Framework”). The Framework was developed as part of the Attorney General’s Cyber-Digital Task Force, and contains three sections: (1) Threat Overview; (2) Law and Regulations; and (3) Ongoing Challenges and Future Strategies.
On December 1, 2020, the U.S. Commodity Futures Trading Commission (“CFTC”) Division of Enforcement released its Annual Report, which details a “record-breaking” fiscal year 2020 (“FY 2020”), despite the challenges presented by the COVID-19 pandemic.
Notably, the CFTC filed a historic 113 enforcement actions—up from 69 filed in FY 2019, 83 filed in FY 2018, and an increase over the previous high of 102 filed in FY 2012. The chart below shows the breakdown of enforcement actions by category, and Appendix B of the Annual Report provides individual case citations.
Weeks after touting its record-breaking enforcement haul, the Commodity Futures Trading Commission (“CFTC”) Enforcement Division issued a memorandum providing guidance for enforcement staff to use when recommending the recognition of cooperation, self-reporting and remediation during the enforcement process. The historic enforcement performance demonstrated that the CFTC can wield a large stick, but the latest guidance is aimed at recognizing efforts in resolving violations.
Ever since the creation of Bitcoin in the late 2000s, the SEC has warned that, depending on the circumstances, “initial coin offerings” (ICOs) involving digital tokens or coins may be subject to regulation under the federal securities laws.1 The SEC has provided “facts and circumstances” guidance regarding whether a particular cryptocurrency offering involves a security. See, e.g., the SEC’s Framework for “Investment Contract Analysis of Digital Assets.” But officials have opined that cryptocurrencies sold only to be used to purchase a good or service, such as Bitcoin or Ethereum, may not be securities.2
On October 6, 2020, the Commodity Futures Trading Commission (“CFTC”) issued a release describing its record-breaking enforcement year. The release noted that in fiscal year 2020 (“FY2020”), the CFTC filed more enforcement actions than any other year in the history of the agency. CFTC Chairman Heath P. Tarbert stated “[w]e are tough on those who break the rules, and this historic year only further underscores this point.”
The most recent headlines emphasize the CFTC’s enthusiasm in pursuing spoofing-related actions. Of note, the CFTC ordered a registrant and affiliates associated with one of the largest bank holding companies to pay a record $920 million for spoofing and manipulation that spanned over eight years. This penalty comes as the largest monetary relief in the agency’s history. In September alone, the CFTC announced three other spoofing settlements with fines totaling nearly $1.8 million, and brought charges against a trading firm and two of their traders.
On September 10, 2020, the CFTC announced the issuance of new, public, guidance to its enforcement staff on evaluating the adequacy of corporate compliance programs. The new guidance provides enforcement staff a framework with which to assess participants’ compliance programs, and is intended to ensure consistency and transparency in such reviews.
The latest publication continues the Commission’s efforts to increase transparency in the enforcement process. In May, the CFTC formally issued guidance regarding Enforcement’s decisions to recommend the imposition of civil monetary penalties, and last year the Division issued its first public Enforcement Manual. More details on these previous issuances from the CFTC can be found here and here.
On September 15, 2020, the SEC’s Office of Compliance Inspections and Examinations (OCIE) issued a Risk Alert highlighting the recent uptick in “credential stuffing” cyber-attacks against SEC-registered investment advisors and broker dealers.
Credential stuffing is an automated cyber-attack on Internet-based user accounts and firm networks. Attackers obtain usernames and passwords from the dark web and then employ automated scripts utilizing the compromised information to attempt to log in and gain unauthorized access to other customer accounts and firm networks. Credential stuffing has proven to be a more effective way for hackers to gain access to accounts and firm systems than traditional brute force password attacks have been. If the credential stuffing attack is successful, attackers can gain access to and control over customer assets and confidential information.
A Spoofing Record Breaker
On August 19, 2020, the Commodity Futures Trading Commission (“CFTC”) issued three orders filing and settling charges against a bank with a provisionally registered swap dealer (the “Firm”) requiring the Firm to pay $127.4 million for spoofing and making false statements, as well as for swap dealer compliance and supervision violations.