Subscribe to our InfoBytes Blog weekly newsletter and other publications for news affecting the financial services industry.
On October 14, NYDFS released a report detailing the Department’s investigation into the July 2020 social media hacks of public figures and cryptocurrency firms, concluding that the social media platform lacked adequate cybersecurity protections and recommending increased regulation of large social media companies. The investigation, which was requested by New York Governor Andrew Cuomo, determined, among other things, that (i) the social media hackers obtained log-in credentials from four employees by pretending to be from the company’s IT department; (ii) the hackers stole over $118,000 worth of bitcoin from consumers by tweeting “double your bitcoin” with a link to send bitcoin payments from celebrity accounts and several bitcoin companies; (iii) certain Department-regulated cryptocurrency companies blocked attempted transfers to the hacker’s addresses; and (iv) the social media company lacked adequate cybersecurity protection, including not having “a chief information security officer, adequate access controls and identity management, and adequate security monitoring.” The report recommends that the largest social media companies be designated as “systemically important institutions” subject to an analogue council of the Financial Stability Oversight Council. The report suggests the social media companies should be subject to enhanced regulation, including “stress test” scenarios covering cyberattacks and election interference.
On October 21, NYDFS announced authorization for a digital payments company to launch a service for U.S. customers to buy, sell, and hold certain NYDFS-approved cryptocurrencies. Under the terms of the “conditional Bitlicense,” the payments company will partner with a New York-chartered trust company responsible for providing cryptocurrency trading and custodial services. According to NYDFS Superintendent Linda Lacewell, this first conditional Bitlicense represents the state regulator’s efforts “to encourage, promote, and assist interested institutions to have a well-regulated way to access the New York virtual currency marketplace in a way that is both timely and protective of New York consumers.” NYDFS first announced the proposed conditional licensing framework in June (covered by InfoBytes here).
On October 8, U.S. Attorney General William P. Barr released his Cyber-Digital Task Force’s comprehensive overview of emerging threats and enforcement challenges associated with the increased use of cryptocurrencies. The report, titled Cryptocurrency: An Enforcement Framework, is divided into three parts and details the relationships that the DOJ has built with U.S. and foreign regulatory and enforcement partners, and summarizes the Department’s response strategies.
- Part I: Threat Overview. This section illustrates how malicious actors misuse cryptocurrency technology to harm users and commit crimes. The task force catalogs most illicit uses of cryptocurrency into the following three broad categories: (i) “financial transactions associated with the commission of crimes,” including soliciting funds to support terrorist activities; (ii) money laundering and the shielding of otherwise legitimate activity from tax, reporting, or other legal requirements; or (iii) crimes that directly implicate the cryptocurrency marketplace itself, such as stealing cryptocurrency or promising cryptocurrency to defraud investors.
- Part II: Law and Regulations. This section explores the various legal and regulatory authorities that the DOJ has used to bring cryptocurrency enforcement actions, and highlights its partnerships with other U.S. federal and state authorities and foreign enforcement agencies to prevent crime and provide investigatory assistance.
- Part III: Ongoing Challenges and Future Strategies. This section discusses the ongoing challenges presented by the misuse of cryptocurrency, as well as ongoing strategies to combat emerging threats. This includes an examination of certain business models and activities employed by cryptocurrency exchanges, including money service businesses, virtual asset and peer-to-peer exchanges and platforms, kiosk operators, and casinos.
This is the task force’s second report. The first report, published in 2018, provides a more general overview of cyber threats.
On October 1, the CFTC filed charges against five entities and three individuals for allegedly owning and operating an unregistered cryptocurrency derivatives platform and failing to implement required anti-money laundering procedures. The complaint alleges that the platform “illegally offer[ed] leveraged retail commodity transactions, futures, options, and swaps” on cryptocurrencies without implementing key safeguards required by the Commodity Exchange Act and several CFTC regulations compliance measures, such as know-your-customer procedures or actions designed to detect and prevent illicit activities. The CFTC also claims that the exchange operated as an unregistered futures commission merchant and did not have CFTC approval to operate as a designated contract market or swap execution facility. The complaint requests civil monetary penalties and remedial ancillary relief in the form of (i) permanent trading and registration bans; (ii) disgorgement; (iii) restitution; (iv); pre- and post-judgment interest; and (v) a permanent injunction from future violations.
In a parallel action, the U.S. Attorney for the District of New York indicted the three individuals along with a fourth individual on federal charges of violating, and conspiring to violate, the Bank Secrecy Act “by willfully failing to establish, implement, and maintain an adequate anti-money laundering  program” at the exchange.
On September 21, the OCC released Interpretive Letter 1172, stating that national banks may hold stablecoin in reserve accounts as a service to bank customers and may engage in activity incidental to receiving the deposits. According to the OCC, issuers of stablecoins—a type of cryptocurrency backed by an asset such as a fiat currency—have a desire to place assets in reserve accounts with national banks to “provide assurance that the issuer has sufficient assets backing the stablecoin in situations where there is a hosted wallet.” Hosted wallet, as defined by the OCC, is “an account-based software program for storing cryptographic keys controlled by an identifiable third party.” Because national banks are authorized to receive deposits and provide “permissible banking services to any lawful business they choose,” they may provide these services to issuers of stablecoins, as long as they comply with applicable laws and regulations. (In Interpretive Letter 1170, the OCC approved the holding of cryptocurrency on behalf of customers, covered by InfoBytes here.) Specifically, the OCC noted that national banks should ensure that deposit activities comply with the Bank Secrecy Act and anti-money laundering regulations. Moreover, a national bank must also “identify and verify the beneficial owners of legal entity customers opening accounts.” Lastly, the OCC emphasized that stablecoin reserves “could entail significant liquidity risks,” and national banks may consider entering into contractual agreements with stablecoin issuers to “verify and ensure that the deposit balances held by the bank for the issuer are always equal to or greater than the number of outstanding stablecoins issued by the issuer.” This guidance does not apply to stablecoin transactions involving un-hosted wallets.
On September 11, the CFTC filed a complaint in the U.S. District Court for the Southern District of Texas against four individuals accused of operating a purported multi-level marketing scheme involving the solicitation of nearly $100,000 in customer funds that were to be used to speculate in cryptocurrency. The CFTC alleged that the defendants violated the Commodity Exchange Act by, among other things, creating the false illusion that their business employed “master traders” with years of cryptocurrency trading experience, that customers’ earnings would increase based on the amount of their deposits, and that customers who made referrals would receive bonuses. Additionally, the defendants posted misleading trade statements online that failed to “accurately reflect the Bitcoin trading purportedly undertaken by [the d]efendants and led certain customers to believe they were earning significant amounts of money from [the d]efendants’ trading of Bitcoin on their behalf.” The CFTC further claimed that when customers tried to unsuccessfully withdraw their funds, the defendants would first claim their website or smartphone app were experiencing technical problems, but then eventually stopped responding to the customer requests. The CFTC seeks to enjoin the defendants’ allegedly unlawful acts and practices, to compel compliance with the Commodity Exchange Act and CFTC regulations, and to further enjoin the defendants from engaging in any commodity interest-related activity. In addition, the CFTC seeks civil monetary penalties, restitution, trading and registration bans, and other statutory, injunctive, or equitable relief as the court may deem necessary and appropriate.
On August 14, the Texas State Securities Board issued a cease and desist order against three South African companies and an officer of the companies (collectively, “defendants”) accused of violating the state’s securities act by engaging in an international cryptocurrency debit card scheme. The defendants allegedly solicited Texas residents to make investments that promised guaranteed gains based on the number of cardholders that eventually signed up for the cryptocurrency debit card. The cryptocurrency debit card was promoted as a prepaid Mastercard that would allow cardholders to use various types of stablecoins to avoid certain taxable events. However, the defendants allegedly intentionally failed to disclose the risks associated with the use of stablecoins (e.g. stablecoin transactions are not reversible and “a party sending stablecoins to an address accepts the risk that the party may lose access to, or any claim on, the stablecoins”), nor did they disclose that legislation and regulations may negatively impact the taxation of cryptocurrencies. Additionally, the order states that the defendants concealed business information about their relationships, contracts, compensation, and the use of the funds, and that because they are not registered as dealers or agents with the Texas State Securities Board, they cannot sell their investment products in Texas.
Chinese nationals sanctioned and charged with laundering over $100 million in cryptocurrency from hacked exchange
On March 2, the U.S. Treasury Department’s Office of Foreign Assets Control (OFAC) announced sanctions pursuant to Executive Orders 13694, 13757, and 13722 against two Chinese nationals for allegedly laundering over $100 million in stolen cryptocurrency connected to a North Korean state-sponsored cyber group that hacked cryptocurrency exchanges in 2018. According to OFAC, the two individuals “materially assisted, sponsored, or provided financial, material, or technological support for, or goods or services to or in support of, a malicious cyber-enabled activity” or in support of the North Korean cyber group, which was designated by OFAC last September (covered by InfoBytes here). OFAC stated that it closely coordinated its action with the U.S. Attorney’s Office for the District of Columbia and the Internal Revenue Service’s Criminal Investigation Division. As a result of the sanctions, “all property and interests in property of these individuals that are in the United States or in the possession or control of U.S. persons must be blocked and reported to OFAC.” OFAC further noted that its regulations “generally prohibit all dealings by U.S. persons or within the United States (including transactions transiting the United States) that involve any property or interests in property of blocked or designated persons,” and warned foreign financial institutions that knowingly facilitating significant transactions or providing significant financial services to the designated individuals may subject them to U.S. correspondent account or payable-through sanctions.
On the same day, the DOJ unsealed a two-count indictment against the two individuals, charging them with money laundering conspiracy and operating an unlicensed money transmitting business. The indictment claims that the individuals converted virtual currency traceable to the hack of a cryptocurrency exchange into fiat currency or prepaid Apple iTunes gift cards through accounts in various exchanges linked to Chinese banks and then transferred the currency or gift cards to customers for a fee. According to the indictment, neither individual was registered as a money transmitting business with the Financial Crimes Enforcement Network, which is a federal felony offense. The complaint seeks forfeiture of 113 virtual currency accounts belonging to the individuals.
On February 19, the SEC announced a settlement with a blockchain technology company resolving allegations that the company conducted an unregistered initial coin offering (ICO). According to the order, the company raised approximately $45 million from sales of its digital tokens to raise capital to develop a digital asset trade-testing platform and to build a cryptocurrency-related data marketplace. The SEC alleges that the company violated Section 5(a) and 5(c) of the Securities Act because the digital assets it sold were securities under federal securities laws, and the company did not have the required registration statement filed or in effect, nor did it qualify for an exemption to the registration requirements. The order, which the company consented to without admitting or denying the findings, imposes a $500,000 penalty and requires the company to register its tokens as securities, refund harmed investors through a claims process, and file timely reports with the SEC.
On February 6, SEC Commissioner Hester M. Pierce announced her proposal for a three-year safe harbor rule applicable to companies developing digital assets and networks. Pierce suggested that not only would the rule provide regulatory flexibility “that allows innovation to flourish,” but it would also protect investors by “requiring disclosures tailored to their needs” while still maintaining anti-fraud safeguards, allowing investors to participate in token networks of their choice. Proposed Securities Act Rule 195 would allow companies to sell or offer tokens without being subject to the Securities Act of 1933, and without the tokens being subject to the registration requirements of the Securities Act of 1934. In order to qualify for these exemptions, the proposed rule requires that a company developing a network must, among other things, (i) “intend for the network on which the token functions to reach network maturity…within three years of the date of the first token sale”; (ii) disclose key information on a freely accessible public website,” including applicable source code and descriptions of how to search and verify transactions on the network; (iii) offer and sell its tokens in order to allow access to or development of its network; (iv) make “good faith and reasonable efforts to create liquidity for users”; and (v) “file a notice of reliance” with the SEC’s EDGAR system within 15 days of the company’s first token sale made in reliance on the safe harbor. Pierce suggested that the three-year grace period for qualifying companies would allow time for the development of decentralized or functional networks, and, at the end of the three years, a successful network’s tokens would not be regulated as securities.
- H Joshua Kotin to discuss "Being fair, responsible, & profitable" at the QuestSoft Lending Compliance & Risk Management Virtual Conference
- Kathryn L. Ryan to discuss "NMLS mortgage call report – Where’s NMLS 2.0?" at the QuestSoft Lending Compliance & Risk Management Virtual Conference
- Thomas A. Sporkin to discuss "Managing internal investigations and advanced government defense" at the Securities Enforcement Forum
- Jeffrey P. Naimon to discuss "2021 - A new beginning/what's to come" at the QuestSoft Lending Compliance & Risk Management Virtual Conference
- H Joshua Kotin to discuss "Mortgage servicing in a recession: Early intervention, loss mitigation and more" at the NAFCU Virtual Regulatory Compliance Seminar
- Daniel R. Alonso to discuss "Independent monitoring in the United States" at the World Compliance Association Peru Chapter IV International Conference on Compliance and the Fight Against Corruption
- Jonice Gray Tucker to discuss "Cyber security, incident response, crisis management" at the Legal & Diversity Summit
- Jonice Gray Tucker to discuss "The future of fair lending" at the Mortgage Bankers Association Regulatory Compliance Conference
- Michelle L. Rogers to discuss "Major litigation" at the Mortgage Bankers Association Regulatory Compliance Conference
- Kathryn L. Ryan to discuss "Pandemic fallout – Navigating practical operational challenges" at the Mortgage Bankers Association Regulatory Compliance Conference
- Jonice Gray Tucker to discuss "Consumer financial services" at the Practising Law Institute Banking Law Institute
- Daniel P. Stipano to discuss "BSA/AML - Covid impact and regulatory/guidance roundup" at an NAFCU webinar