Cryptoasset Enforcement - where are we at the end of 2018? What to expect in 2019?
By Robert Rice, Steven Gatti, Kelwin Nicholls, Oliver Pegden and Ben Peacock, Clifford Chance
Published: 18 January 2019
On 11 December 2018, Andrew Bailey, Chief Executive of the UK FCA, speaking to an audience in London, praised the enforcement action taken by the SEC in relation to initial coin offerings (ICOs) and said that European regulators could learn from the SEC's strong interventions. The FCA is expected to consult on the regulation of cryptoassets early in 2019 but has not yet taken any enforcement action.
In this briefing, we share data obtained from the FCA by freedom of information request relating to current cryptoasset investigations and analyse enforcement trends globally.
UK investigative activity
In October, the Cryptoasset Taskforce (HMT, FCA and Bank of England) published its Final Report which identified the main risks associated with cryptoassets as financial crime, risks to consumers, risks to market integrity and risks to financial stability.
Subsequently, we made a freedom of information request to the FCA asking for detailed information regarding the FCA's investigations or enquiries relating to cryptoassets (broadly defined to include: cryptocurrencies, derivative instruments referencing cryptocurrencies, investment assets in cryptocurrencies, security tokens and utility tokens).
As at November 2018, there were no current cryptoasset-related FCA enforcement investigations (the same position as existed in May 2018). However, the FCA was conducting 21 separate enquiries in relation cryptoasset perimeter issues (i.e. whether firms that are involved in some form of cryptoasset business might be carrying on regulated activities without appropriate authorisation). These enquiries were not solely focused on issuers - they included enquiries into firms who may be conducting regulated activities through advising and/or arranging deals in cryptoasset investments.
There were two ongoing enquiries into authorised firms in relation to cryptoasset activities. One enquiry related to the potential misappropriation of client funds, the other related to providing account services to a cryptocurrency exchange. There were two open enquiries relating to the money laundering risks associated with cryptoassets.
There were no market abuse enquiries relating to cryptoassets and, perhaps surprisingly given the reports of manipulation in cryptocurrency derivative markets, the FCA was unable to find any record of having received any Suspicious Transaction and Order Reports (STOR) relating to cryptocurrency derivatives over the last two years.
Wider enforcement trends
It is unsurprising to see the FCA focused on perimeter issues.
The past two years have been characterised by uncertainty as to whether cryptoassets, particularly tokens issued as part of ICOs, constitute securities falling within existing regulatory perimeters.
During this period, enforcement investigations globally have focused heavily on perimeter issues, playing an important role in enabling authorities to develop their understanding of cryptoasset businesses and products and to signal interpretations of the perimeter.
As Andrew Bailey indicated, the US has led the way. Prior to 2017, publicly-announced SEC actions focused on products that clearly qualified as U.S. securities, such as offerings of shares in bitcoin investment trusts or tokens that purported to represent shares in a company. The SEC's enforcement efforts broadened in 2017 beginning with the publication of the Slock.it Decentralized Autonomous Organization (DAO) Report which concluded that the tokens issued by the DAO constituted investment contracts, and therefore securities. The SEC declined to penalise Slock.it because the DAO Report was the first instance in which the SEC asserted broad authority to regulate ICOs, but since then the SEC has settled multiple enforcement actions related to ICOs and is actively investigating additional ICOs. Most recently in November 2018, the SEC announced that it settled charges against two firms for securities offering registration violations in connection with ICOs. These were the first occasions on which the SEC has imposed civil penalties against ICO issuers for securities offering registration violations only (a prior enforcement action for securities offering registration violation in connection with an ICO was settled without imposition of a penalty after the issuer voluntarily refunded all proceeds of the ICO).
Elsewhere in the world, enforcement activity has been more limited, but has also focused on perimeter issues.
In May 2018, the Singapore MAS, in its strongest public reprimand over digital tokens, stopped an issuer of an ICO from continuing with its fund-raising bid as its tokens represented equity ownership in a company and therefore would be considered securities. The MAS also warned eight unnamed digital token exchanges in Singapore not to facilitate trading in digital tokens that are securities or futures contracts without the MAS' authorisation.
The Hong Kong SFC has not yet taken any formal enforcement action against any cryptocurrency exchanges or issuers of ICOs. However, in February 2018, the SFC issued letters to various cryptocurrency exchanges and ICO issuers warning them that they should not trade or issue cryptocurrencies that are "securities" under the SFO without authorisation. In March 2018, ICO issuer Black Cell Technology Limited (Black Cell) halted its ICO to the Hong Kong public and agreed to unwind ICO transactions for Hong Kong investors after the SFC had expressed concerns that Black Cell had engaged in potential unauthorised promotional activities and unlicensed regulated activities. We see a similar pattern elsewhere.
Until recently, authorities themselves have defined the regulatory perimeter through published guidance and settled enforcement cases. Recently, however, enforcement actions have started to arrive in the courts, providing an opportunity for judicial guidance.
In September 2018, a Federal Judge in the Eastern District of New York, in the context of the criminal prosecution of Maksim Zaslavisky for securities fraud in connection with two ICOs, ruled that a reasonable jury could conclude that the ICO tokens in question were investment contracts falling with the scope of securities laws.
Meanwhile, also in September 2018, the Higher Regional Court of Berlin held in a criminal enforcement case, that Bitcoins are neither a financial instrument nor units of account within the meaning of the German Banking Act and that therefore operating a Bitcoin trading platform does not require a German banking licence. The German government is currently investigating whether the German Banking Act needs to be amended to support BaFin's current administrative practice of defining the scope of licensable activities and deciding whether an activity is licensable under the German Banking Act.
In recent months we have seen US perimeter enforcement activity expand focus beyond issuers. On 11 September, the SEC announced two settled actions against non-issuers, TokenLot and Crypto Asset Management. These cases marked the SEC's first cryptocurrency enforcement actions against non-issuers for failing to register as broker-dealers and investment companies. TokenLot operated as a broker by facilitating sales of digital tokens offered by nine ICO issuers. CAM managed Crypto Asset Fund, a pooled investment vehicle formed for investing in digital assets. On 8 November, the SEC announced a settlement with the founder of EtherDelta, a trading platform for digital assets, for operating as an unregistered national securities exchange. We expect enforcement authorities elsewhere to expand the focus of their perimeter investigations similarly.
Looking ahead in enforcement
We expect to see continued enforcement activity in relation to perimeter issues as authorities gain confidence in the conduct of these types of investigations and anticipate hardening of the rules. But we also expect that, as changes in law take effect and the perimeter is better defined, authorities will expand enforcement activities to other issues.
We expect, in particular, to see a growth of enforcement activity relating to market misconduct, anti-money laundering and investor protection (within the regulatory perimeter).
As regards market misconduct, we expect to see an increase in enforcement focused on market manipulation of cryptoassets. To-date publicly-announced enforcement activity in this area has been largely confined to action taken by the CFTC in the US. This has focused exclusively on fraud related to bitcoin. Now that bitcoin futures contracts are trading on U.S. exchanges (with bitcoin options scheduled to begin trading soon), it is likely that the CFTC will increase its efforts to police bitcoin manipulation. In summer 2018, it was widely reported that the CFTC was taking aggressive action to obtain trading data from cryptocurrency spot exchanges whose prices are components of the reference rate used to price the CME's Bitcoin futures contract. We expect similar trends elsewhere, particularly in the UK where the FCA has been increasingly focused on market manipulation since 2015.
As regards anti-money laundering risks connected with cryptoassets, whilst we have not seen any public enforcement outcomes, authorities are already focusing on the specific obligations that established regulated firms have in relation to these risks. In June 2018, the UK FCA wrote to bank Chief Executives highlighting the obligations that regulated firms have to prevent and detect financial crime connected with cryptoassets, citing examples of where a regulated firm offers services to cryptoasset exchanges, arranges an ICO, or serves clients whose wealth derives from cryptoassets. Regulatory initiatives to bring cryptoasset exchanges into the anti-money laundering regulations are underway in the EU. The Fifth European AML Directive will extend AML and Counter-Terrorist Financing rules to virtual currencies, such that rules will now apply to entities which provide services holding, storing and transferring virtual currencies. In future, these entities will have to identify their customers and report any suspicious activity to relevant regulators and authorities.
Although cryptoassets may present particular cross-border enforcement issues, particularly concerning where activities take place, we have not yet seen significant examples of large-scale cross-border collaboration and co-ordination in relation to enforcement activity such as that seen in recent years in relation to other forms of conduct. We expect that to change too.