Ever since the creation of Bitcoin in the late 2000s, the SEC has warned that, depending on the circumstances, “initial coin offerings” (ICOs) involving digital tokens or coins may be subject to regulation under the federal securities laws.1 The SEC has provided “facts and circumstances” guidance regarding whether a particular cryptocurrency offering involves a security. See, e.g., the SEC’s Framework for “Investment Contract Analysis of Digital Assets.” But officials have opined that cryptocurrencies sold only to be used to purchase a good or service, such as Bitcoin or Ethereum, may not be securities.2
On October 6, 2020, the Commodity Futures Trading Commission (“CFTC”) issued a release describing its record-breaking enforcement year. The release noted that in fiscal year 2020 (“FY2020”), the CFTC filed more enforcement actions than any other year in the history of the agency. CFTC Chairman Heath P. Tarbert stated “[w]e are tough on those who break the rules, and this historic year only further underscores this point.”
The most recent headlines emphasize the CFTC’s enthusiasm in pursuing spoofing-related actions. Of note, the CFTC ordered a registrant and affiliates associated with one of the largest bank holding companies to pay a record $920 million for spoofing and manipulation that spanned over eight years. This penalty comes as the largest monetary relief in the agency’s history. In September alone, the CFTC announced three other spoofing settlements with fines totaling nearly $1.8 million, and brought charges against a trading firm and two of their traders.
On September 10, 2020, the CFTC announced the issuance of new, public, guidance to its enforcement staff on evaluating the adequacy of corporate compliance programs. The new guidance provides enforcement staff a framework with which to assess participants’ compliance programs, and is intended to ensure consistency and transparency in such reviews.
The latest publication continues the Commission’s efforts to increase transparency in the enforcement process. In May, the CFTC formally issued guidance regarding Enforcement’s decisions to recommend the imposition of civil monetary penalties, and last year the Division issued its first public Enforcement Manual. More details on these previous issuances from the CFTC can be found here and here.
On September 15, 2020, the SEC’s Office of Compliance Inspections and Examinations (OCIE) issued a Risk Alert highlighting the recent uptick in “credential stuffing” cyber-attacks against SEC-registered investment advisors and broker dealers.
Credential stuffing is an automated cyber-attack on Internet-based user accounts and firm networks. Attackers obtain usernames and passwords from the dark web and then employ automated scripts utilizing the compromised information to attempt to log in and gain unauthorized access to other customer accounts and firm networks. Credential stuffing has proven to be a more effective way for hackers to gain access to accounts and firm systems than traditional brute force password attacks have been. If the credential stuffing attack is successful, attackers can gain access to and control over customer assets and confidential information.
A Spoofing Record Breaker
On August 19, 2020, the Commodity Futures Trading Commission (“CFTC”) issued three orders filing and settling charges against a bank with a provisionally registered swap dealer (the “Firm”) requiring the Firm to pay $127.4 million for spoofing and making false statements, as well as for swap dealer compliance and supervision violations.
Following the high-profile market disruptions caused by the “flash crash” of May 6, 2010, and the “Knightmare” in August 2012, when a coding error in Knight Capital’s trading software resulted in the firm suffering $460 million in losses over the course of 45 minutes, the CFTC sought to determine existing industry practices around automated trading in the futures markets and to evaluate the need for additional regulations. To this end, in 2013, the CFTC published an extensive Concept Release and sought industry feedback on over 120 questions regarding risk controls and system safeguards around automated trading. Market participants applauded the CFTC’s efforts to foster an open discussion on industry best practices, and the industry devoted significant time and resources to drafting thoughtful responses to the Commission’s questions, with over 50 response letters filed.
Yesterday, the CFTC’s Division of Enforcement formally issued new guidance regarding the Division’s decisions to recommend the imposition of civil monetary penalties. According to the CFTC, “[t]he guidance memorializes the existing practice within the Division,” but “has now been incorporated into the Division’s Enforcement Manual.” CFTC, CFTC Division of Enforcement Issues Civil Monetary Guidance.
Steven Seagal just learned the hard way that, unlike the title of his 1988 police action movie, he is not Above the Law. Unfortunately for the prolific action movie star, the SEC took notice of his recent actions and was Out for Justice. In order to avoid a Maximum Conviction, the SEC recently announced that Seagal made the Executive Decision to settle charges brought by the agency related to the actor’s failure to disclose the nature, scope, and amount of compensation he received for promoting an investment in an initial coin offering (ICO) conducted by Bitcoiin2Gen.