On demand 1h 1m 59s Basic

The Law of Cryptocurrency and Blockchain Technology: What Do Businesses, Investors, and Consumers Need to Know?

Start your free 7-day trial
Access Quimbee's CLE library for free with a 7-day free trial membership.

The Law of Cryptocurrency and Blockchain Technology: What Do Businesses, Investors, and Consumers Need to Know?

From FTX to NFTs, it seems like cryptocurrency and blockchain technology are at the top of news and culture. But which laws apply to this technology, and which government entities regulate this space? And what do businesses, investors, and consumers need to know to avoid legal pitfalls?

Transcript

- Good day and welcome to Quimbee's online CLE course, The Law of Cryptocurrency and Blockchain Technology: What Do Businesses, Investors, and Consumers Need to Know? My name is Joseph Facciponti and I'll be your course instructor. I'll give you an overview of the presentation in a minute, but first, a little bit about me. For nearly a decade, I was a federal cybercrime prosecutor at the U.S. Attorney's Office for the Southern District of New York. After that, I spent nearly another decade as an in-house lawyer and in private practice, advising clients on white collar financial crime, cybersecurity, privacy, and technology issues including issues related to cryptocurrency and blockchain. Currently, I'm the executive director of the NYU School of Law Program on Corporate Compliance and Enforcement, a law and policy center that studies the latest trends at the intersection of corporate crime, compliance, and technology. I also teach classes at NYU and at Cornell Law School. So let's talk about today's presentation. First, let's give you an outline of this presentation. What are some of the things that you think of when you hear the words cryptocurrency or blockchain? You may think of things like currency or coins. You may have heard blockchain technology referred to as tokens, or you may have heard terms like smart contracts, NFTs. And then, you may think of concepts like decentralization, secrecy, and security. These are all things that people think about when they hear this technology. Now what are some of the negative things you think about when you hear about crypto and blockchain? Well, unless you haven't been following the news recently, you probably would think, the first thing that you probably would think, is about fraud, money laundering, things like extortion or ransomware, a way for people to buy illegal goods and services on the dark web and also unregistered securities offerings in the form of I-C-O's or ICOs. This class is going to explore these themes primarily from a legal perspective. The goal is that by the end of the course, you'll understand the basics of crypto. And more importantly, you'll understand how the government is seeking to regulate it. You'll also understand the legal pitfalls that exist for folks who are active in the blockchain and crypto communities. Specifically, this course will address: the basics of how the blockchain works, the way the government investigates and prosecutes individuals who commit crimes using blockchain technology, and the way the government regulates and controls how blockchain technology can be used. Let's start with the basics. What is cryptocurrency? Well, before we can answer that question, we need to answer the question of what is the blockchain? To keep it as simple as possible, the blockchain or blockchain technology is a new way of maintaining a database with a network of computers. Each piece of information in the database such as a transaction is stored in what's called a block, and the blocks are linked together chronologically into a chain. Once created, the data in a block cannot be altered unless a certain number of computers in the network agree, which makes the block immutable, with some exceptions and secure. How is the blockchain secure? Well, for most blockchains, a decentralized network of computers work to validate and form a consensus over what transactions have occurred on the blockchain, and then use cryptography to securely save that information in blocks. Now you may have heard of bitcoin miners folks who dedicate significant computing power and resources to quote, unquote, "mine bitcoin." Well, what they are actually doing is using their computers to validate and secure the bitcoin blockchain. And for that, the bitcoin protocol periodically rewards them with bitcoin. Now for many blockchains, all the stored data in the blockchain is visible and transparent for all to see. So it's possible to see every record of a transaction but not all blockchains are the same. Some blockchains are public, meaning anyone can use and access them. These are called permissionless blockchains, which means anyone can participate in the consensus and validation of the blockchain if they offer up their computing resources to participate in that. On the other hand, some are private and require permission to be used, and they are often used internally by businesses. How does the process of mining or validating transactions and creating blocks keep the blockchain secure? Well, that's a bit too technical for this presentation but it's safe to say that different blockchains use different technological methods to ensure the integrity of their systems with bitcoin being the most computationally expensive, and therefore typically considered the most secure. Now you may be saying, what is the point of this technology and how can it be used? What one way to think about this is a way to create an immutable permanent record that cannot be altered of a series of transactions without any middlemen involved, since this is being done by network of computers automatically. So blockchain technology actually has many applications. Some of which we'll discuss throughout the course. But take the issue of needing to perform a title search for real property to ensure that the seller of the real property actually has full title to the property that they propose to sell to the buyer. If all the past transactions, liens, mortgages, et cetera, involving that piece of property have been recorded on the immutable blockchain, there would be no need to hire someone to conduct an extensive title search. It would be instantly cleared to everyone, upon looking at the blockchain, whether the current seller has title to that property. So now let's talk about what cryptocurrency is. Cryptocurrency or crypto is just one function of blockchain technology. For crypto, the blockchain is used to record transactions in units of value called coins such as bitcoin, which can be bought and sold by individuals and investors and used to purchase items. For most types of crypto, all transactions for each coin are recorded in the blockchain, so it's possible for the public to see every transaction involving a particular coin. However, so-called privacy coins obfuscate information on the blockchain, making it harder to trace transactions. For coins for all types of cryptocurrency are typically stored by holders in wallets and coin holders need secret cryptographic keys to engage in transactions with them. In other words, they need a secret password to get access to and transfer and engage in transaction with their particular coins. You may have heard the term of cold storage when it comes to cryptographic keys, and that means that the coin holders sometimes save their passwords or cryptographic keys on electronic storage media, such as a thumb drive, that is not connected to the internet, which makes it difficult for hackers to steal the keys from the coin owners. While the most well-known application of blockchain technology is cryptocurrency, as we mentioned earlier, blockchain has many other potential uses like the title insurance example I gave above. Blockchain developers are creating what are commonly known as protocols or ecosystems that perform certain tasks, for example, issuing stablecoins, which are cryptocurrency coins whose value is purportedly tied to the value of a particular fiat currency, such as the U.S. dollar. Stablecoins may make it easier for businesses and individuals to engage in online transactions or exchange foreign currency since the value of the stablecoin is punitively tied to the value of a particular fiat currency. But a note of caution about stablecoin, because some stablecoin maintain their value by holding one unit of fiat currency in reserve for each stablecoin issued by the blockchain protocol. That is to say, $1 in actual U.S. currency for each $1 worth of stablecoin that is issued. That's the most traditional conservative kind of stablecoin. However, other protocols issue what are known as algorithmic stablecoins that are not fully backed up by fiat currency, but instead by some sort of arbitrage in the crypto markets. The latter form offers more risk as the example of the collapse of the Terra stablecoin in the spring of 2022 demonstrated. Even for stablecoins that are fully backed up by fiat currency, if you're thinking about buying a large number of them, it's good to ask the protocol or whoever's responsible for issuing those stablecoins for results of any audits into the protocol's fiat currency holdings. Now we talked about stablecoins, but other blockchain protocols might provide loans, help entities engage in fundraising, trade crypto and other digital assets, develop video games and so on. The possibilities are limitless. Now another key term that you may have heard in this area is the Decentralized Autonomous Organization or DAO. Some developers create entities known as DAOs, which seek in some ways to mimic corporations but have no physical place of incorporation and grant the participants in the DAO control over what projects the DAO undertakes, ideally with no intermediaries or senior management. Think of it as a corporation that is completely owned and controlled by the shareholders. Now all of these protocols and applications, as I said earlier, are built on an existing blockchain. The most popular of which is the Ethereum blockchain. Ethereum offers functionality for users to develop other applications that run on that blockchain. Ethereum also offers its own cryptocurrency called Ether. You've probably also heard about tokens in connection with blockchain technology. Tokens are simply a unit from a blockchain that provides the holder with some rights or value. In other words, they are a digital asset. For example, a particular blockchain project or ecosystem might offer individuals who buy tokens the right to vote on proposals to change the protocol or decide how the project should proceed. These are called governance tokens. Other tokens might grant users the right to obtain coins and tokens or otherwise access the functions of the particular protocol in question. Tokens often find themselves in the crosshairs of certain regulators, such as the U.S. Securities and Exchange Commission or SEC, which considers many tokens to be securities, and thus subject to the U.S. Securities laws and requirements. We'll talk more about that later. Another application of blockchain technology is the smart contract, which is simply computer code stored on a blockchain that performs a certain function when predetermined conditions are met. Take the example of stirring title for real estate on the blockchain. A smart contract might, for example, automatically transfer title to the property to the buyer in a transaction once the buyer transfers cryptocurrency in the amount of the purchase price to the seller. Finally, what are NFTs? Well, NFTs or non-fungible tokens are another extension of blockchain technology. NFTs grant the holder the exclusive right to own, for example, a digital work of art such as a picture. NFTs experienced a huge wave of popularity in recent years as speculators purchase NFTs with the expectation that they would increase in value. All right, now we finished walking through some of the background, concepts, and definitions and terms for blockchain technology. So let's discuss some of the things that can go wrong and what the government wants to do about it. First, let's talk about site crypto-enabled crime, and let's look at some of the dangers inherent in blockchain technology. In other words, what are some of the ways that crypto and blockchain technology can be used to facilitate and be connected with crime? Well, the first and probably most well-known way is through old-fashioned fraud. Whenever a new kind of technology or potential asset or potential opportunity to make money through speculation on something comes along, so do people who try to exploit the popularity of that particular new thing to make money off of people and to rip them off. Probably the most well-known right now example of that is the FTX scandal and Sam Bankman-Fried as alleged by the government in the criminal case against SBF and some of FTX's founders. SBF and others made promises to investors and lenders to induce those folks to give FTX their money and crypto, which SBF and FTX's founders misused for their own game. That's the heart of a classic fraud case. When someone is lying or misleading or tricking someone else into giving them their money with no intention of ever delivering on their part of the bargain. Now of course, in their defense, folks like SBF may say and will often argue that they did intend to honor their part of the bargain, but unforeseen circumstances such as the depreciation and the value of crypto made it impossible for them to do so. And thus, the courts and juries will have to resolve those questions. Another good example of old-fashioned fraud is something known as the rug pull. That's when scammers invite people to invest in something that they promise will have big returns, but then take the investor's money and disappear. For example, in 2022, the U.S. Department of Justice or DOJ arrested two individuals for allegedly orchestrating a rug pull scheme involving NFTs. According to the DOJ, a rug pull refers to a scenario where the creator of an NFT and/or gaming project solicits investments and then abruptly abandons a project and fraudulently retains the investor's funds. In other words, here's a great new idea I have. You can buy these NFTs, which will go up in value, and this idea and that will help fund the development of this great idea, which will be very profitable. Give me your money. And when the poor victims give the person the money, they walk away and abandon the project. Now in that case, the two defendants advertised and sold NFTs they called Frosties, that allegedly came with benefits connected to a related project that was purportedly under development. If you Google Frosties and rug pull, you'll see what I'm talking about. Rather than provide the benefits, however, the two defendants allegedly took the 1.1 million in cryptocurrency provided to them by the investors and simply abandoned the project. As is the case with old-fashioned fraud, the federal government and prosecute fraud involving cryptocurrency using the Wire Fraud statute, 18 United States Code Section 1343, which prohibits the use of the quote, unquote "wires" which is any form of electronic communication or transmission, whether it's over the radio, television, through mobile communications, through the internet to obtain money or property from victims by fraudulent means, lies, deceit, misleading, failing to say material facts, et cetera. It is an incredibly broad statute that is often used by prosecutors. Another way that crypto is used to commit crimes is in ransomware cases, which you may have heard of. And what is ransomware? It's when threat actors or hackers infiltrate a business's or individual's computer system and encrypt all or parts of the system, rendering the system inoperable and data irretrievable unless the victim makes an extortion payment to receive a quote, unquote, "decryptor" to unlock the data and systems. Sometimes ransomware groups also steal sensitive, confidential data from a victim and demand an additional ransom to not release the data publicly. And this often results in sort of a double ransomware attack where first they lock up the victim system and demand a ransom for that, and then they demand an additional ransom to not release any sensitive data from the victim that they had stolen. Ransomware groups are extremely sophisticated. Ransomware software is commoditized and is offered for sale or lease on the dark web by hacking groups. And ransomware is an incredibly profitable way of engaging in cyber crime. Ransomware attacks can put a business out of business and may have life-threatening consequences, such as when ransomware groups target hospitals for attacks and shut down doctors' access to vital medical records. And hospitals are one of the favorite targets of ransomware for just this reason. Because a hospital is not going to take the time to recover their own systems, they're gonna pay the ransom because they need to get their systems up and running as quickly as possible. Now how does cryptocurrency fit into all of this? Well, ransomware threat actors nearly always demand ransom payments in cryptocurrency, why? Because they think it's harder to trace. Ransomware is a growing threat involving billions of dollars in losses and as a result has billions of dollars in cryptocurrency floating around their ransomware payments. Now we'll talk a little bit later about things victims should know and how they respond to ransomware attacks, such as a legal consequences for paying a ransom to the wrong person. The federal prosecutors can usually charge ransomware threat actors with violations of the federal computer hacking statute, which is called the Computer Fraud and Abuse Act. What is the Computer Fraud and Abuse Act? Well basically, it's a law that makes it illegal for someone to gain unauthorized access to a protected computer, which is basically any defined as any computer hooked up to the internet and to do something wrong with that computer to damage the computer, to steal information from the computer, to use that computer to commit another crime. Moving on, individuals to other kinds of crimes enabled by cryptocurrency, individuals who have amassed a significant amount of crypto investments are also the target of digital thieves who seek to steal their cryptocurrency, whether the crypto is stored externally, such as would a crypto exchange or trust, or internally on the individual's own computer or in cold storage. Crypto thieves will also target crypto exchanges where people can buy and sell and trade cryptocurrency by hacking into their networks and stealing the private keys to the crypto they hold on behalf of their customers. Mt. Gox, which was a very early crypto exchange, famously experienced a death of millions of dollars of its customers crypto and went out of business in 2014, and things like this still happen through today. Talking a little bit more about theft, thieves also target individuals directly to try to steal their access credentials. That is their username and password to their crypto accounts through methods like phishing, which is sending communications that appear to be from a legitimate crypto exchange, such as Coinbase, seeking to get the victim to divulge their username and password. Phishing is a psychological hacking attempt. It doesn't involve actually breaking into your computer. It involves you, the victim, handing over the keys to your computer or your network to the threat actor 'cause they've tricked you into doing it. So oftentimes, they will send you a text message or an email that purports to be from a crypto exchange or a legitimate bank and says, "Hey, we've detected in an authorized transaction and you need to call us right away." And if you do call them right away, they'll ask you for your username and password. And if you give it to them, you've just handed over access to your account to these threat actors. And just in case you're wondering how they know who to target, many folks who are engaged in the crypto space tend to advertise their involvements on the internet through Twitter or social media. And therefore, there's a long list of people who claim to have large holdings of crypto, who, you know, can be targeted by threat actors, but they also do random phishing attacks against people just in case. Now people who are cybersecurity savvy may have enabled two-factor authentication on their accounts, which as you probably know, involves an additional layer of authentication before someone get access to your account. So in addition to having username and password, you also need to input a code that is sent by a text messenger or an authenticator app to you to prove that your account is really yours. To get around that, threat actors can resort to SIM swapping, which is taking control of a victim's telephone number to receive text messages with access codes to a victim's crypto account. Now and the way they can do that is through a number of different ways. One, they can pay someone, a corrupt employee of say AT&T or Verizon, to switch your telephone number, mobile phone number, to someone else's mobile phone. Or two, they can call up customer service of AT&T and impersonates you and convince that representative to switch your phone number to the threat actor's phone. Prosecutors can use a variety of statutes to prosecute crypto thieves, including the Computer Fraud and Abuse Act, the wire fraud statute, and a statute prohibiting the interstate transportation of stolen money or property. However, sometimes clever cyber thieves will find loopholes and smart contracts or the computer code for a blockchain protocol to take crypto assets and tokens from the protocol. In those cases, the ability for prosecutors to charge the bad actors with a crime is murky, if the thieves didn't engage in any fraud or deceptive behavior and didn't hack into a computer system, but simply use legitimate but overlooked function of a smart contract to make off with crypto assets. That's why it's important to request to review the results of any code audits from any crypto protocol or DAO before you make a sizable investment in it. A reputable protocol will hire people to test their code to make sure there are none of these loopholes available that someone can exploit. Cryptocurrency is also the currency of choice for the purchase of illicit goods and services. Be they stolen identity information, access credentials, trade secrets, weapons, illegal drugs, human trafficking or illegal pornography on the so-called dark web, an area of the internet that is only accessible to those using tools that cover their tracks and obscure their identity. And finally, cryptocurrency is popular among those seeking to hide the proceeds of illegal activity through money laundering. In many cases, crypto can be transferred directly between individuals anywhere in the world with no intermediaries, making it easy and cheap for criminals to engage in a series of transactions to obfuscate the origin of their ill-gotten gains. However, one feature of the blockchain, immutability, means that for most types of cryptocurrency, there will be a permanent public record of all transactions for investigators to view. Law enforcements and private sector have developed sophisticated tools to trace crypto transactions on the blockchain and look for clues to the cyber criminals' true identities. In response, cyber criminals sometimes use so-called privacy coins, like Monero, which hides some of the transaction information on the blockchain or use a complex system of mixing and tumbling services and intermediaries, services that mix, for example, you know, stolen or ill-gotten crypto with legitimate crypto and transactions or which exchange is stolen crypto into several different cryptocurrencies, from bitcoin to Ether and back, to make it difficult for investigators to trace stolen crypto. From money laundering crimes, federal prosecutors can cause, can use two primary anti-money laundering statutes, 18 United States Code Section 1956 and 57, which generally make it illegal to engage in a transaction and money that you know to be the proceeds of illegal activity. We'll also talk about anti-money laundering or AML regulations and law such as the Bank Secrecy Act or BSA a little bit later in this program. So what are the authorities doing about all this? Well, the Department of Justice is taking crypto crime, crypto-related crimes so seriously. And in October of 2021, the DOJ announced the creation of a National Cryptocurrency Enforcement Team or NCET, which is designed to lead complex investigations and prosecutions of criminal misuses of cryptocurrency, including by targeting cryptocurrency exchanges, mixing and tumbling services and money laundering infrastructure actors such as the people who offer mixing and tumbling services. So now we've finished reviewing how crypto can be used to commit crimes and the things that the federal government can do about it. Let's talk about something that potentially affects anyone who invests in or works with the blockchain government regulation. So what's the government's approach to regulating crypto? Well, basically the government is trying to police crypto markets and regulate cryptocurrency, to prevent some of the things that I just spoke about. But to be honest, it's a bit of a mess. Multiple state and federal regulatory agencies are all vying to use regulatory schemes that predate blockchain technology to accomplish things like investor protection and to prevent money laundering. We don't have time to cover all of the different regulatory issues here today, but we'll take a look at some of the big ones. And these include: whenever someone uses cryptocurrency to raise capital or fundraise, an investor protection, you know, and these invoke potentially the securities and commodities laws, which are regulated by the SEC, and the Commodities Futures Trading Commission or CFTC respectively. Regulators also are seeking to prevent money laundering with AML laws and the BSA and impose trade sanctions on bad actors and nation states. And finally, the government is seeking to regulate money transmitters or money services businesses, which they define, in this context, as people who change cryptocurrency into fiat currency and back in certain kinds of crypto exchanges. So let's start by taking a look at the securities laws. The SEC has said that it considers most cryptocurrencies and digital tokens to be securities like stocks and bonds. The SEC sees the sale of crypto coins and tokens to the public by, for example, DAOs and protocols as a way for those entities to raise money. Much the same way as traditional corporations raise money by selling stock and initial public offerings are IPOs. In fact, the initial sale of dig digital tokens is sometimes called an initial coin offering, or ICO, which makes it sound like an IPO. To protect investors from fraud, the SEC believes that the sale of digital tokens should be handled the same way as the sale of traditional securities are handled. Securities according to the SEC and the securities laws should be registered with the SEC. That means registration statements must be prepared to provide necessarily disclosures to investors and need to be approved by the SEC. Entities trading securities should be also registered as exchanges, broker dealers, or alternative trading systems, and that brings them under the authority of the SEC to conduct audits and examinations and requires them to make various disclosures about their business and entity. And finally, securities issuers and trading entities should provide the public with these disclosures, business plans, audited financials, the identity of their managers, material risks, et cetera. In addition, these disclosures and registrations must also be reviewed and approved by the SEC in many cases. There are also certain exceptions for experienced investors and sales of securities outside the United States to non-US persons. So the securities laws don't always apply in every case, but these exceptions are narrow. For example, a U.S. person is usually defined as anyone who is a U.S. citizen or permanent resident or any corporate entity organized under the laws of the U.S. even if those persons are located abroad. So if you're going to sell securities to people purely outside of the U.S. who are not, U.S. citizens, if you're gonna sell your crypto , or tokens of people who are not U.S. citizens who reside outside of the U.S., Maybe, you know, you may qualify for one of these exceptions. But if you don't qualify for an exception, the registration process is expensive and time consuming. And finally, for those who don't comply, there are civil and even criminal penalties for failing to follow the securities laws. Unfortunately, to make matters worse, the SEC has not given clear guidance, nor has it approved any applications to registered digital tokens. In other words, the SEC is not actually approved any attempts to register a digital asset as a security. The SEC has, however, provided some guidance on how to determine if a digital asset is a security. The SEC believes that most digital assets are investment contracts and uses a Supreme court case from the 1940s, SEC versus W.J. Howey Co., to determine if a token or a coin is an investment contract, and thus, a security. This is called the Howey test and it has at least three parts. First is the investment of money. The first prong of the how we test is typically satisfied in an offer and sale of a digital asset because a digital asset is purchased for money. The second prong is common enterprise. There must be some sort of common enterprise. This can include the tying of each of the investors' fortunes to the fortunes of the other investors by pooling assets and the distribution of profits. It can also be measured by focusing on the relationship between the founder or promoter of the enterprise with the investors. And finally, there must be a reasonable expectation of profits derived from the efforts of others. This part is often subdivided into two additional parts, one that focuses on the reasonable expectation of profits and the other that focuses on the efforts of others. It asks if the investor expects to make money through participation in the distribution of digital assets or by selling for gain on secondary markets. It also looks at whether a promoter, sponsor or other third party provides essential management support that affects the success of the enterprise and that the investor expects to make money fair from the success. So let's apply the Howey test by asking ourselves if any of the following affects whether a token is a security or not. So first, you have a protocol that is not fully functional at the time of the sale of the tokens, and the proceeds from that sale will be used to fund the developments of the protocol. The SEC would view this as making it more likely that the token is a security because the the entity and the protocol is fundraising to complete development of the protocol. And so there will be an expectation that the proceeds of the sale will be used to fund the development of the protocol. And that once fully functional, there will be, you know, expectation of profit from it. On the other hand, another test is if the protocol is primarily managed by devoting of token holders. So if there's no actual management team and all of the development and management is done by consensus of those who hold tokens, this would be less likely to be considered a security by the SEC. However, if the protocol is primarily managed by a small group of developers, then this would be more likely to be considered a security by the SEC. The token is expected to increase or decrease in value in secondary trading markets. This can go both ways. On the one hand, it can be viewed as a reason why something can be a security. On the other hand, merely the fact that the investor expects the price to go up, you know, in secondary markets and it's not enough alone to find it in security. Another way to look, another issue is if the token has utility within the protocol's ecosystem. In other words, is this token something that the investor holds onto and hopes that it generates money for them? Or is this something that the investor will use in the ecosystem? So imagine a video game in which you buy tokens to use in the video game itself. That would make it less likely that the SEC would view them as securities. And finally, the token is used to distribute profits to investors from the growth of the ecosystem. This would be viewed as making it more likely that it's the security because it's similar to the way, you know, a corporation might distribute dividends to its shareholders. The SEC has been successful in all the enforcement actions it has brought to date on the question of whether a digital token is a security. One big pending case is whether XRP, the world's seven largest cryptocurrency created by Ripple Labs, a crypto and technology company is a security. Both the SEC and Ripple filed summary judgment motions in the fall of 2020. And the court is expected to rule in the coming weeks, either by declaring one or both sides to prevail on a particular on particular issues or by sending the case to be resolved at trial. That case is SEC v. Ripple Labs. The SEC has also recently brought even more aggressive fraud cases involving crypto assets, including two cases in which they accuse insiders at crypto-related companies of engaging in insider training in NFTs and cryptocurrency. These cases include United States v. Chastain, in which the DOJ accused an employee of a company that markets NFTs of committing fraud for trading on inside information over which NFTs would be featured on the company's website. All right, the other case is SEC v. Wahi. Both the DOJ and SEC brought parallel criminal and civil actions charging three former employees of Coinbase for engaging insider trading based on non-public information about crypto assets that which crypto assets will be listed for trading on Coinbase's platform. The SEC's complaint declares that at least nine of the 25 crypto assets that were the subject of the alleged insider trading were securities. In response to the SEC's enforcement action, CFTC Commissioner Caroline Pham issued a rare public rebuke of the SEC's declaration that a broad array of crypto assets in the case were securities, asserting that the SEC was engaged in regulation by enforcement and that the SEC should clarify its position on crypto assets by engaging in a transparent rulemaking process. In other words, the SEC is running around declaring certain crypto assets to be securities, but often not entirely explaining or justifying why this is. And let's talk now about the commodities laws. The CFTC has authority to police commodities markets for fraud and the CFTC considers digital assets like cryptocurrencies to be commodities. Accordingly, the CFTC can bring enforcement actions for fraud involving cryptocurrencies. However, the CFTC has broader authority, similar to how the SEC has authority over securities markets, over certain finance retail transactions where the digital assets are not delivered within 28 days and over derivatives. That is digital asset transactions involving futures options or swaps. In those situations, entities engaged in the facilitating the trading of digital assets might have obligations to register with the CFTC as a futures commodity merchant or designated contract merchant or other entity. For example, in September 2021, the CFTC entered into a settlement with Kraken, a large cryptocurrency market, for entering into margined retail commodity transactions in digital assets to U.S. customers in which the assets were not always delivered to customers within 28 days. The CFTC found that Kraken was required to register as both an FCM and a DCM and was made to pay $1.25 million as a civil penalty. Let's now talk about AML and trade sanctions issues. Returned AML trade sanctions issues involving crypto and digital assets. We've already mentioned how criminals seek to use crypto to attempt to launder the proceeds of their crimes. Now we'll look at any requirements for entities involved in the crypto industry to detect and stop money laundering and trade sanctions violations. The important points to note are: the primary issue is for entities that deal with crypto to fulfill AML and BSA requirements to vet customers and monitor money movements; whether or not an entity has a clear AML legal requirement or obligation, and it is murky for some entities, the failure to perform fundamental due diligence on customers in the crypto markets is an invitation for regulatory oversight; preventing transactions that might implicate numerous sanctions regimes overseen by OFAC is also important. In other words, if you're involved in the business of trading cryptocurrency or you have a cryptocurrency exchange and you're trading digital assets, it's important to note who your customers are. It's important to know whether your customers or any trade sanctions list. And it's important to do your diligence to make sure that you were not unknowingly or unwittingly helping to facilitate money laundering or other violations of the law. So what are some of the issues around here? You know, and what is money laundering? Well, money laundering transforms the proceeds of crime into seemingly legitimate funds and access. However, you don't need to engage in money laundering to commit money laundering related crimes. For example, if you own a money transmitting business, which would typically include most crypto exchanges, you are required to register with state and federal authorities. Or you can face criminal prosecution as an unlicensed money transmitting business under federal law. Money transmitters and certain other financial institutions are also required to maintain AML programs under the BSA. Now, what is the B BSA involved in terms of AML programs? Well, it requires that you maintain an AML program, including a customer due diligence program, which asks you to identify who your customers are and get proof of their identity reporting, any suspicious transactions those customers engage into the government that you're regulated by the Financial Crimes Enforcement Network or FinCEN, which is a federal regulator. And that financial institutions covered by the NBSA include things like banks, trust companies, broker dealers, money services businesses among others, including any of these entities that also deal with cryptocurrency. Businesses that failed to comply with the BSA could be subject to the civil and criminal penalties. For example, in 2015, ripple Labs settled with FinCEN and DOJ civil and criminal charges for selling cryptocurrency without registering as a money services business and ultimately had to pay a total of 700,000 in civil and criminal penalties. Specifically, what do you need to do into the BSA? Well, if you have an AML program, you need to appoint an AML officer. You need to have policies and procedures to detect money laundering. You need to engage in training and and independent testing and audits of your program. You also need to have a customer due diligence program, and you need to have suspicious activity reporting. You need to monitor your transactions, know who your customers are, and report activity in excess of certain thresholds. So now let's talk about trade sanctions. Sanctions programs are typically authorized by law and presidential executive orders. And the primary regulators, the Office of Foreign Assets Control or OFAC. Sanctions programs make it illegal to do business with certain individuals, businesses or nation states, depending on the specific program, and they are subject to certain exceptions. The Nutshell enforcement through OFAC is primarily civil in terms of civil monetary penalties, but is also a criminal component that the DOJ can enforce as well. OFAC issues lists, which are known as specially designated nationals and blocked persons lists, pursuance executive orders to designate certain individuals and entities for sanctions. You know, these SDN lists and assets belonging to people on the SDN list must be frozen and the business must contact OFAC to determine how to proceed. But OFAC can issue licenses to conduct business with sanctioned entities if you apply for one. Since 2015, OFAC has maintained a sanctions program that has applied to malicious cyber enabled activities, which also concludes cryptocurrency. It applies to all U.S. persons. And OFAC can also issue secondary sanctions, which is that if a non-US person engages in too many transactions with a sanctioned individual or entity, OFAC may add that person to an SDN list. Now one thing to know is that OFAC civil violations are strict liability, which means you don't have to know that the person was on an SDN list to get in trouble with OFAC. Let's look at a few case studies for OFAC. BitPay was a payment processor that allowed merchants to accept payments in crypto. BitPay had a sanctions program in place to screen its merchant customers, but it did not screen its merchant customers' customers, even though it received info IP addresses that could have been used to identify the customers as being in sanctioned jurisdictions like Crimea, Cuba, North Korea, Iran, Sudan, and Syria. It included approximately 2000 transactions sold in $129,000 and BitPay was required to pay a fine of $507,000. Another in issue is Tornado Cash, which allegedly laundered more than $7 million since 2019, including 455 million stolen by a North Korean hacking group. Tornado Cash facilitated the anonymous crypto transactions by obfuscating the origin designation and counterparties. It was one of these mixing and tumbling services. As a result, it was designated under the executive order for cyber crime and placed on SDN list. And as a result, nobody can do business in the United States with Tornado Cash anymore. Now we talked about federal regulators, but there is a host of state regulators that also involve, that also seek to regulate cryptocurrency. For example, the New York State Department of Financial Services, which is New York State's banking and insurance regulator issues BitLicenses to companies engaged in virtual business activity. And if you do engage in any of these activities in New York State, you do have to register with the New York DFS. Further, many crypto businesses also have to comply with state AML, securities, and fraud laws, among others, in each state where they have customers or do business. So finally, let's get back to ransomware. And we do wanna talk about a case study for ransomware. As we discussed, ransomware is ubiquitous and many cyber insurance policies will cover the payment of a ransom. However, the decision to pay a ransom carries legal and other risks. So consider the following: paying a ransom makes ransomware profitable for hackers and causes more ransomware attacks. On the other hand, it may be the only way for a business to get its data and systems back. A business might pay the ransom and not get their money back anyway, the data back anyway. But a business might pay the ransom and it knowingly violate US sanctions laws because OFAC has placed a ransomware developers, a certain crypto exchange, a hacking group, certain crypto wallets, certain nation states and others associated with the ransomware on SDN lists. So what's the best way to mitigate your legal exposure if you pay the ransom? Well, first is to have a cybersecurity vendor conduct due diligence on the ransomware group, crypto wallet, or other aspects of the ransomware attack to determine if there is anything that can be traced to a sanctioned person or entity. To self-report the ransomware payments OFAC or law enforcement properly. So even if you don't have any reason to believe that the person you paid is on a sanctions list, report it to OFAC or the FBI anyway, because OFAC treats self-reporting as a mitigating factor in enforcement actions. And a company might receive leniency for OFAC for self-reporting if it turns out the company actually did pay the ransom to a sanction entity. And also maintain if you can a sanctions and cybersecurity compliance program, which OFAC will also treat as mitigating factors. And our final case study is the Colonial Pipeline ransomware attack. You probably are familiar with this in the news. But basically, in May of 2021, a ransomware attacked by a Russian ransomware group called DarkSide, attacked, you know, Colonial Pipelines network and effective ransomware. Colonial proactively shut its pipeline down to avoid further infection of its network and notify federal authorities and agencies in the FBI and hired a cybersecurity forensic firm to help. It took about two weeks, but it was finally able to get its pipeline fully operational. Now, did loan Colonial pay the ransom? You bet it did. It paid 4.5 billion in bitcoin almost immediately after receiving the ransomware demand. Did the ransomware attackers get away with the attack? Yes and no. Because in response to international law enforcement pressure on May 13, 2021, DarkSide announced that it was shutting down and issuing decrypts to all of its victims. And later on June 7, 2021, the DOJ announced that it was able to trace and seize $2.3 million of the ransom out of the 4.4 million that was paid. And again, was able to do that because I said before, cryptocurrency isn't as secret as you think it is, since there is still a public record of all the transactions involving that cryptocurrency. So that comes to conclusions and recap here today. The conclusions and recap here is that there are lots of opportunities and lots of promise and you know, promise with blockchain technology. However, it is a new technology. The regulation of it is not sorted out. And it is something that has attracted a large share of tension from cyber criminals. So you need to be careful, you need to do your diligence, and you need to understand what the legal and regulatory laws are that apply to your activities. And if you do that, it could turn out to be a very good opportunity for you. And with that, thank you for listening to the class here today.

Presenter(s)

JF
Joe Facciponti
Executive Director & Adjunct Professor
NYU Program on Corporate Compliance and Enforcement

Credit information

Jurisdiction
Credits
Available until
Status
Alabama
  • 1.0 general
Pending
Alaska
  • 1.0 voluntary
January 23, 2025 at 11:59PM HST Available
Arizona
  • 1.0 general
January 23, 2025 at 11:59PM HST Available
Arkansas
  • 1.0 general
January 23, 2025 at 11:59PM HST Approved
California
  • 1.0 general
January 23, 2025 at 11:59PM HST Approved
Colorado
  • 1.0 general
December 31, 2025 at 11:59PM HST Approved
Connecticut
  • 1.0 general
January 23, 2025 at 11:59PM HST Available
Delaware
  • 1.0 general
Pending
Florida
  • 1.0 technology
October 31, 2024 at 11:59PM HST Approved
Georgia
  • 1.0 general
Pending
Guam
  • 1.0 general
January 23, 2025 at 11:59PM HST Available
Hawaii
  • 1.0 general
January 23, 2025 at 11:59PM HST Approved
Idaho
  • 1.0 general
Not Offered
Illinois
  • 1.0 general
February 9, 2025 at 11:59PM HST Approved
Indiana
  • 1.0 general
December 31, 2024 at 11:59PM HST Approved
Iowa
  • 1.0 general
January 10, 2025 at 11:59PM HST Approved
Kansas
  • 1.0 general
January 9, 2025 at 11:59PM HST Approved
Kentucky
  • 1.0 general
June 30, 2024 at 11:59PM HST Approved
Louisiana
  • 1.0 general
Pending
Maine
  • 1.0 general
December 31, 2026 at 11:59PM HST Self Apply
Minnesota
  • 1.0 general
March 15, 2025 at 11:59PM HST Approved
Mississippi
  • 1.0 general
Pending
Missouri
  • 1.2 general
January 23, 2025 at 11:59PM HST Available
Montana
  • 1.0 general
January 20, 2026 at 11:59PM HST Approved
Nebraska
  • 1.0 general
Not Offered
Nevada
  • 1.0 general
December 31, 2026 at 11:59PM HST Available
New Hampshire
  • 1.0 general
January 23, 2025 at 11:59PM HST Available
New Jersey
  • 1.2 general
Pending
New Mexico
  • 1.0 general
February 24, 2028 at 11:59PM HST Approved
New York
  • 1.2 areas of professional practice
January 23, 2025 at 11:59PM HST Available
North Carolina
  • 1.0 general
February 29, 2024 at 11:59PM HST Approved
North Dakota
  • 1.0 general
January 23, 2025 at 11:59PM HST Available
Ohio
  • 1.0 general
Pending
Oklahoma
  • 1.0 general
Not Offered
Oregon
  • 1.0 general
January 24, 2026 at 11:59PM HST Approved
Pennsylvania
  • 1.0 general
January 16, 2026 at 11:59PM HST Approved
Puerto Rico
  • 1.0 general
Not Offered
Rhode Island
  • 1.0 general
Not Offered
South Carolina
  • 1.0 general
Pending
Tennessee
  • 1.0 general
Pending
Texas
  • 1.0 general
Pending
Utah
  • 1.0 ethics
Not Offered
Vermont
  • 1.0 general
January 23, 2025 at 11:59PM HST Approved
Virginia
    Not Eligible
    Virgin Islands
    • 1.0 technology
    January 23, 2025 at 11:59PM HST Available
    Washington
    • 1.0 law & legal
    January 24, 2028 at 11:59PM HST Approved
    West Virginia
    • 1.0 ethics
    Not Offered
    Wisconsin
      Not Eligible
      Wyoming
      • 1.0 general
      Pending
      Credits
      • 1.0 general
      Available until
      Status
      Pending
      Credits
      • 1.0 voluntary
      Available until

      January 23, 2025 at 11:59PM HST

      Status
      Available
      Credits
      • 1.0 general
      Available until

      January 23, 2025 at 11:59PM HST

      Status
      Available
      Credits
      • 1.0 general
      Available until

      January 23, 2025 at 11:59PM HST

      Status
      Approved
      Credits
      • 1.0 general
      Available until

      January 23, 2025 at 11:59PM HST

      Status
      Approved
      Credits
      • 1.0 general
      Available until

      December 31, 2025 at 11:59PM HST

      Status
      Approved
      Credits
      • 1.0 general
      Available until

      January 23, 2025 at 11:59PM HST

      Status
      Available
      Credits
      • 1.0 general
      Available until
      Status
      Pending
      Credits
      • 1.0 technology
      Available until

      October 31, 2024 at 11:59PM HST

      Status
      Approved
      Credits
      • 1.0 general
      Available until
      Status
      Pending
      Credits
      • 1.0 general
      Available until

      January 23, 2025 at 11:59PM HST

      Status
      Available
      Credits
      • 1.0 general
      Available until

      January 23, 2025 at 11:59PM HST

      Status
      Approved
      Credits
      • 1.0 general
      Available until
      Status
      Not Offered
      Credits
      • 1.0 general
      Available until

      February 9, 2025 at 11:59PM HST

      Status
      Approved
      Credits
      • 1.0 general
      Available until

      December 31, 2024 at 11:59PM HST

      Status
      Approved
      Credits
      • 1.0 general
      Available until

      January 10, 2025 at 11:59PM HST

      Status
      Approved
      Credits
      • 1.0 general
      Available until

      January 9, 2025 at 11:59PM HST

      Status
      Approved
      Credits
      • 1.0 general
      Available until

      June 30, 2024 at 11:59PM HST

      Status
      Approved
      Credits
      • 1.0 general
      Available until
      Status
      Pending
      Credits
      • 1.0 general
      Available until

      December 31, 2026 at 11:59PM HST

      Status
      Self Apply
      Credits
      • 1.0 general
      Available until

      March 15, 2025 at 11:59PM HST

      Status
      Approved
      Credits
      • 1.0 general
      Available until
      Status
      Pending
      Credits
      • 1.2 general
      Available until

      January 23, 2025 at 11:59PM HST

      Status
      Available
      Credits
      • 1.0 general
      Available until

      January 20, 2026 at 11:59PM HST

      Status
      Approved
      Credits
      • 1.0 general
      Available until
      Status
      Not Offered
      Credits
      • 1.0 general
      Available until

      December 31, 2026 at 11:59PM HST

      Status
      Available
      Credits
      • 1.0 general
      Available until

      January 23, 2025 at 11:59PM HST

      Status
      Available
      Credits
      • 1.2 general
      Available until
      Status
      Pending
      Credits
      • 1.0 general
      Available until

      February 24, 2028 at 11:59PM HST

      Status
      Approved
      Credits
      • 1.2 areas of professional practice
      Available until

      January 23, 2025 at 11:59PM HST

      Status
      Available
      Credits
      • 1.0 general
      Available until

      February 29, 2024 at 11:59PM HST

      Status
      Approved
      Credits
      • 1.0 general
      Available until

      January 23, 2025 at 11:59PM HST

      Status
      Available
      Credits
      • 1.0 general
      Available until
      Status
      Pending
      Credits
      • 1.0 general
      Available until
      Status
      Not Offered
      Credits
      • 1.0 general
      Available until

      January 24, 2026 at 11:59PM HST

      Status
      Approved
      Credits
      • 1.0 general
      Available until

      January 16, 2026 at 11:59PM HST

      Status
      Approved
      Credits
      • 1.0 general
      Available until
      Status
      Not Offered
      Credits
      • 1.0 general
      Available until
      Status
      Not Offered
      Credits
      • 1.0 general
      Available until
      Status
      Pending
      Credits
      • 1.0 general
      Available until
      Status
      Pending
      Credits
      • 1.0 general
      Available until
      Status
      Pending
      Credits
      • 1.0 ethics
      Available until
      Status
      Not Offered
      Credits
      • 1.0 general
      Available until

      January 23, 2025 at 11:59PM HST

      Status
      Approved
      Credits
        Available until
        Status
        Not Eligible
        Credits
        • 1.0 technology
        Available until

        January 23, 2025 at 11:59PM HST

        Status
        Available
        Credits
        • 1.0 law & legal
        Available until

        January 24, 2028 at 11:59PM HST

        Status
        Approved
        Credits
        • 1.0 ethics
        Available until
        Status
        Not Offered
        Credits
          Available until
          Status
          Not Eligible
          Credits
          • 1.0 general
          Available until
          Status
          Pending

          Become a Quimbee CLE presenter

          Quimbee partners with top attorneys nationwide. We offer course stipends, an in-house production team, and an unparalleled presenter experience. Apply to teach and show us what you've got.

          Become a Quimbee CLE presenter image