Securities Industry Commentator by Bill Singer Esq

SEC Charges Exchange-Traded Product and Its General Partner With Disclosure Failures (SEC Release)

CFTC Orders United States Commodity Funds LLC to Pay $2.5 Million for Failure to Fully Disclose Information Relating to Trading Limitations to Commodity Pool Participants (CFTC Release)

Ukrainian Arrested and Charged with Ransomware Attack on Kaseya / Justice Department Seizes $6.1 million Related to Alleged Ransomware Extortionists (DOJ Release)

Court Orders Asset Freeze and Other Preliminary Relief Against Recidivist and Barred Investment Adviser and His Firm (SEC Release)

Statement on DeFi Risks, Regulations, and Opportunities by SEC Commissioner Caroline A. Crenshaw

2021 SEC Regulation Outside the United States - Scott Friestad Memorial Keynote Address by Gurbir Grewal, Director, Division of Enforcement

There's Something Happening Here (at a FINRA Arbitration ) But What It Is Ain't Exactly Clear (BrokeAndBroker.com Blog)

[U]SO's investment objective is to track the changes in the spot price of oil, as measured by the changes in prices of certain oil futures contracts. In April 2020, in the midst of oil market turmoil and the near-month futures contract closing at a negative price, USO's sole futures broker told USO it would not execute any new oil futures positions for USO. As a result of this limitation, USO was restricted from investing the proceeds generated by the future sale of newly created shares in oil future contracts, creating the risk that USO would not be able to meet its stated investment objective. The order finds that USO did not fully disclose the character and nature of the limitation until one month after the limit was first imposed.

Specifically, the order finds that from about April 22, 2020 to June 12, 2020, U.S. Commodity Funds failed to fully disclose to commodity pool participants that USO's only futures commission merchant had imposed certain position limits on USO that would render the pool unable to purchase additional futures contracts in connection with the future offering of new exchange traded fund shares. This failure to disclose material information to commodity pool participants operated as a fraud on those participants.

Vasinskiy Indictment

https://www.justice.gov/opa/press-release/file/1447126/download

Polyanin Indictment 

https://www.justice.gov/opa/pr/ukrainian-arrested-and-charged-ransomware-attack-kaseya

According to court documents, Vasinskyi was allegedly responsible for the July 2 ransomware attack against Kaseya. In the alleged attack against Kaseya, Vasinskyi caused the deployment of malicious Sodinokibi/REvil code throughout a Kaseya product that caused the Kaseya production functionality to deploy REvil ransomware to "endpoints" on Kaseya customer networks. After the remote access to Kaseya endpoints was established, the ransomware was executed on those computers, which resulted in the encryption of data on computers of organizations around the world that used Kaseya software.

Through the deployment of Sodinokibi/REvil ransomware, the defendants allegedly left electronic notes in the form of a text file on the victims' computers. The notes included a web address leading to an open-source privacy network known as Tor, as well as the link to a publicly accessible website address the victims could visit to recover their files. Upon visiting either website, victims were given a ransom demand and provided a virtual currency address to use to pay the ransom. If a victim paid the ransom amount, the defendants provided the decryption key, and the victims then were able to access their files. If a victim did not pay the ransom, the defendants typically posted the victims' stolen data or claimed they sold the stolen data to third parties, and victims were unable to access their files. 

Vasinskyi and Polyanin are charged in separate indictments with conspiracy to commit fraud and related activity in connection with computers, substantive counts of damage to protected computers, and conspiracy to commit money laundering. If convicted of all counts, each faces a maximum penalty of 115 and 145 years in prison, respectively.

The $6.1 million seized from Polyanin is alleged to be traceable to ransomware attacks and money laundering committed by Polyanin through his use of Sodinokibi/REvil ransomware. The seizure warrant was issued out of the Northern District of Texas. Polyanin is believed to be abroad.

[R]ege and his company SwapStar Capital, LLC solicited Rege's friends, neighbors, and other referrals to be the defendants' investment advisory clients. Rege and SwapStar allegedly misrepresented to their clients that client money would be invested in securities for guaranteed returns. According to the SEC's complaint, Rege and SwapStar instead used client money to pay fictitious gains to other clients, to return original investment amounts to other clients, and to pay for some of Rege's personal expenses.

The complaint alleges that Rege engaged in the alleged misconduct even after the SEC had barred him, in a 2019 SEC order, from associating with an investment adviser and ordered him to cease and desist from further violations of certain anti-fraud provisions in the Advisers Act. The complaint alleges that Rege acted as an investment adviser in violation of the bar against him. Further, according to the SEC's complaint, Rege failed to disclose to his advisory clients that he had been barred from associating with an investment adviser.

As published in The International Journal of Blockchain Law, Vol. 1, Nov. 2021.

Whether in the news, social media, popular entertainment, and increasingly in people's portfolios, crypto is now part of the vernacular.[1]  But what that term actually encompasses is broad and amorphous and includes everything from tokens, to non-fungible tokens, to Dexes to Decentralized Finance or DeFI. For those readers not already familiar with DeFi, unsurprisingly, definitions also vary.  In general, though, it is an effort to replicate functions of our traditional finance systems through the use of blockchain-based smart contracts that are composable, interoperable, and open source.[2]  Much of DeFi activity takes place on the Ethereum blockchain, but any blockchain that supports certain types of scripting or coding can be used to develop DeFi applications and platforms.

DeFi presents a panoply of opportunities.  However, it also poses important risks and challenges for regulators, investors, and the financial markets.  While the potential for profits attracts attention, sometimes overwhelming attention, there is also confusion, often significant, regarding important aspects of this emerging market.  Social media questions like "who in the U.S. regulates the DeFi market?" and "Why are regulators involved at all?" abound.  These are crucial questions, and the answers are important to lawyers and non-lawyers alike. This article attempts to provide a short background on the current regulatory landscape for DeFi, the role of the United States Securities and Exchange Commission ("SEC"), and highlights two important hurdles that the community should address.[3]  

I. Many Investments Share Important Attributes

Many DeFi offerings and products closely resemble products and functions in the traditional financial marketplace.[4]  There are decentralized applications, or dApps, running on blockchains, that enable people to obtain an asset or loan upon posting of collateral, much like traditional collateralized loans.[5]  Others offer the ability to deposit a digital asset and receive a return.  Both types of products offer returns, some directly, and some indirectly by enabling the use of borrowed assets for other DeFi investing opportunities.  In addition, there are web-based tools that help users identify, or invest in, the highest-yielding DeFi instruments and venues.[6]  Other applications let users earn fees in exchange for supplying liquidity or market making.[7]  There are also tokens coded to track the prices of securities trading on registered U.S. national securities exchanges, and then can be traded and used in a variety of other DeFi applications.  So while the underlying technology is sometimes unfamiliar, these digital products and activities have close analogs within the SEC's jurisdiction. 

These similarities should come as a surprise to no one, considering finance is in the name.  It should also come as a surprise to no one that investing is often at the core of DeFi activity.   This movement is not about merely developing new digital asset tokens.  Developers have also constructed smart contracts that offer individuals the ability to invest, to lever those investments, to take a variety of derivative positions, and to move assets quickly and easily between various platforms and protocols.  And there are projects that show a potential for scalable increased efficiencies in transactions speed, cost, and customization.       

These projects are evolving incredibly fast with new and interesting potential.  Considering the relative infancy of blockchains that support the scripting needed for sophisticated smart contracts, DeFi development is particularly impressive.  But these offerings are not just products, and their users are not merely consumers.  DeFi, again, is fundamentally about investing.  This investing includes speculative risks taken in pursuit of passive profits from hoped-for token price appreciation, or investments seeking a return in exchange for placing capital at risk or locking it up for another's benefit.  

II. Unregulated Markets Suffer From Structural Limitations

Market participants who raise capital from investors, or provide regulated services or functions to investors, generally take on legal obligations. In what may be an attempt to disclaim those legal obligations, many DeFi promoters disclose broadly that DeFi is risky and investments may result in losses, without providing the details investors need to assess risk likelihood and severity.[8]  Others could accurately be characterized as simply advocating a "buyer beware" approach; by participating, investors assume the risk of any and all losses.  Given this, many current DeFi participants recommend that new investors exercise caution, and many experts and academics agree there are significant risks.[9] 

While DeFi has produced impressive alternative methods of composing, recording, and processing transactions, it has not rewritten all of economics or human nature.  Certain truths apply with as much force in DeFi as they do in traditional finance: 

• Unless required, there will be projects that do not invest in compliance or adequate internal controls;
• when the potential financial rewards are great enough, some individuals will victimize others, and the likelihood of this occurring tends to increase as the likelihood of getting caught and severity of potential sanctions decrease; and
• absent mandatory disclosure requirements,[10] information asymmetries will likely advantage rich investors and insiders at the expense of the smallest investors and those with the least access to information.

Accordingly, DeFi participants' current "buyer beware" approach is not an adequate foundation on which to build reimagined financial markets.  Without a common set of conduct expectations, and a functional system to enforce those principles, markets tend toward corruption, marked by fraud, self-dealing, cartel-like activity, and information asymmetries.  Over time that reduces investor confidence and investor participation.[11] 

Conversely, well-regulated markets tend to flourish, and I think our U.S. capital markets are prime examples.  Because of their reliability and shared adherence to minimum standards of disclosure and conduct, our markets are the destination of choice for investors and entities seeking to raise capital.  Our securities laws do not merely serve to impose obligations or burdens, they provide a critical market good.  They help address the problems noted above, among others, and our markets function better as a result.   But, in the brave new DeFi world, to date there has not been broad adoption of regulatory frameworks that deliver important protections in other markets.    

III. Who Regulates DeFi?

In the United States, multiple federal authorities likely have jurisdiction over aspects of DeFi, including the Department of Justice, the Financial Criminal Enforcement Network, the Internal Revenue Service, the Commodity Futures Trading Commission, and the SEC.[12]  State authorities likely have jurisdiction over aspects as well.[13]  In spite of the number of authorities having some jurisdictional interest, DeFi investors generally will not get the same level of compliance and robust disclosure that are the norm in other regulated markets in the U.S.  For example, a variety of DeFi participants, activities, and assets fall within the SEC's jurisdiction as they involve securities and securities-related conduct.[14]  But no DeFi participants within the SEC's jurisdiction have registered with us, though we continue to encourage participants in DeFi to engage with the staff.  If investment opportunities are offered completely outside of regulatory oversight, investors and other market participants must understand that these markets are riskier than traditional markets where participants generally play by the same set of rules.   

IV. The Role of the SEC

As an SEC Commissioner I have a duty to help ensure that market activity, whether new or old, operates fairly, and offers all investors a level playing field.[15]  I would expect this goal to be one DeFi market participants also support. 

To do this, the SEC has a variety of tools at its disposal ranging from rulemaking authority, to various exemptive or no action relief, to enforcement actions.  Importantly, if DeFi development teams are not sure whether their project is within the SEC's jurisdiction, they should reach out to our Strategic Hub for Innovation and Financial Technology ("FinHub"), or our other Offices and Divisions, all of which have experts well-versed in issues relating to digital assets.[16]  It is my understanding that FinHub has never refused a meeting, and their engagement is meaningful.[17]  If a series of meetings is needed, they spend the necessary time.  If a project does not fit neatly within our existing framework, before proceeding to market, that project team should come and talk to us.[18]  The more the project team can lead that discussion with possible solutions, the better outcomes they can expect.  Our staff cannot offer legal advice, but they stand ready to listen to ideas and provide feedback, as developers know their projects better than we ever could.  If the project is seemingly constrained by our rules, it is critical for us to get specific ideas about how these new technologies can be integrated into our regulatory regime to ensure the market and investor protections afforded by the federal securities laws, while allowing innovations to flourish. 

That being said, for non-compliant projects within our jurisdiction, we do have an effective enforcement mechanism.  For example, the SEC recently settled an enforcement action with a purported DeFi platform and its individual promoters.  The SEC alleged they failed to register their offering, which raised $30 million, and misled their investors while improperly spending investor money on themselves.[19]  To the extent other offerings, projects, or platforms are operating in violation of securities laws, I expect we will continue to bring enforcement actions.  But my preferred path is not through enforcement, and I do not consider enforcement inevitable.  Broad non-compliance that necessitates numerous enforcement actions is not an efficient way to achieve what I believe are shared goals for DeFi.  The more projects that voluntarily comply with regulations, the less frequently the SEC will have to pursue investigations and litigation. 

V. Structural Hurdles   

I recognize it is not the SEC's role to prevent all investment losses.  It is also not my goal to restrict investor access to fair and appropriate opportunities.  But it is my job to demand that investors have equal access to critical information so they can make informed decisions whether to invest and at what price.  I am similarly committed to ensuring markets are fair and free from manipulation.  Given this, it seems that there are two specific structural problems that the DeFi community needs to address.

A. Lack of Transparency

First, although transactions often are recorded on a public blockchain, in important ways, DeFi investing is not transparent.  I am concerned that this lack of transparency contributes to a two tier market in which professional investors and insiders reap outsized returns while retail investors take more risks, get worse pricing, and are less likely to succeed over time.[20]  Much of DeFi is funded by venture capital and other professional investors.  It is unclear to me how well known this is in the DeFi retail investor community, but the underlying funding deals often grant professional investors equity, options, advisory roles, access to project team management, formal or informal say on governance and operations, anti-dilution rights, and the ability to distribute controlling interests to allies, among other benefits.  Rarely are these arrangements disclosed, but they can have a significant impact on investment values and outcomes.  Retail investors are already operating at a significant disadvantage to professional investors in DeFi,[21] and this information imbalance exacerbates the problem. 

Some contend that DeFi is, in fact, more egalitarian and transparent because much of the activity is based on code that is publicly available.[22]  However, only a relatively small group of people can actually read and understand that code, and even highly-qualified experts miss flaws or hazards.  Currently the quality of that code can vary drastically, and has a significant impact on investment outcomes and security.  If DeFi has ambitions of reaching a broad investing pool, it should not assume a significant portion of that population can or wants to run their own testnet to understand the risks associated with the code on which their investment prospects rely.  It is not reasonable to build a financial system that demands investors also be sophisticated interpreters of complex code. 

Put simply, if a retail investor has $2,000 to invest in a risky programmable asset, it is not cost effective for that investor to hire experts to audit the code to ensure it will behave as advertised.  Instead, retail investors must rely on information available through marketing, advertising, word of mouth, and social media.  Professional investors, on the other hand, can afford to hire technical experts, engineers, economists, and others, before making an investment decision.  While this professional advantage exists historically in our financial markets, DeFi exacerbates it.  DeFi removes intermediaries that perform important gatekeeping functions and operates outside the existing investor and market protection regime.  That can leave retail investors without access to professional financial advisors or other intermediaries who help screen potential investments for quality and legitimacy.  These provide meaningful fraud reduction and risk assessment assistance in traditional finance, but there are limited substitutes in DeFi. 

B. Pseudonymity

A second foundational challenge for DeFi is that these markets are vulnerable to difficult to detect manipulation.  DeFi transactions occur on a blockchain, and each transaction is recorded, immutable, and available for all to see.  But that visibility extends only down to a certain identifier.  Because of pseudonymity, the blockchain displays the blockchain address that sent or received assets, but not the identity of the person who controls it. 

Without an efficient method for determining the actual identity of traders, or owners of smart contracts, it is very difficult to know if asset prices and trading volumes reflect organic interest or are the product of manipulative trading by, for example, one person using bots to operate multiple wallets, or a group of people trading collusively.  There are specific U.S. securities laws prohibiting trading for the purpose of giving the false appearance of market activity or to manipulate the price of a security,[23] because successful investing depends on reliable information and market integrity.  Pseudonymity makes it much easier to conceal manipulative activity and almost impossible for an investor to distinguish an individual engaging in manipulative trading from normal organic trading activity.  In DeFi, because markets often turn on asset price, trading volumes, and momentum, investors are vulnerable to losses due to manipulative trading that makes those signals unreliable.  To the extent transactions occur off public blockchains, it is even more difficult to assess whether trading is legitimate.

I recognize that in some ways DeFi is synonymous with pseudonymous.  The use of alphanumeric strings that obscure real world identity was a core feature of Bitcoin and has been present in essentially all blockchains that have followed.  But in the U.S., investors have long been comfortable with a compromise in which they give up some limited degree of privacy by sharing their identity with the entity through which they trade securities.  In return, they benefit from regulated markets that are more fair, orderly, and efficient, with less manipulation and fraud.   

In moving to DeFi, I suspect most retail investors are not doing so because they seek greater privacy; they are seeking better returns than they believe they can find from other investments.  While some in DeFi believe in absolute financial privacy, I expect that projects that solve for pseudonymity are more likely to succeed, because investors can then be comfortable that asset prices reflect actual interest from real investors, not prices pumped by hidden manipulators.  Projects that address this problem are also more likely to be able to comply with SEC regulations and other legal obligations, including requirements around anti-money laundering and countering the financing of terrorism imposed by the Bank Secrecy Act.

VI. Conclusion

My respect for innovation does not lessen my commitment to help ensure all our financial markets are sustainable and offer average investors a fair chance of success.  DeFi is a shared opportunity and challenge.  Some DeFi projects fit neatly within our jurisdiction, and others may struggle to comply with the rules as currently applied.  It is not enough to just say it is too hard to regulate or to say it is too hard to comply with regulations. 

It is a positive sign that many projects say they want to operate within DeFi in a compliant way.  I credit their sincerity on this point, and hope they commit resources to collaborating with the SEC staff in the same spirit.  For DeFi's problems, finding compliant solutions is something best accomplished together.  Reimagining our markets without appropriate investor protections and mechanisms to support market integrity would be a missed opportunity, at best, and could result in significant harm, at worst.  In conceiving a new financial system, I believe developers have an obligation to optimize for more than profitability, speed of deployment, and innovation.  Whatever comes next, it should be a system in which all investors have access to actionable, material data, and it should be a system that reduces the potential for manipulative conduct.  Such a system should lead capital to flow efficiently to the most promising projects, rather than being diverted by mere hype or false claims.  It should also be designed to advance markets that are interconnected, but with sufficient safeguards to withstand significant shocks, including the potential for rapid deleveraging.  In decentralized networks with diffuse control and disparate interests, regulations serve to create shared incentives aligned to benefit the entire system and ensure fair opportunities for its least powerful participants.

My staff and I have been actively engaged in helpful discussions with DeFi experts and my door remains open.[24]  I can't promise an easy or quick process, unfortunately, but I can assure you of good faith consideration and a true desire to help promote responsible innovation.

= = = = =

 

[1]  I am deeply grateful to my colleagues Robert Cobbs, Kathleen Gallagher, Micah Hauptman, Claire O'Sullivan, and Gosia Spangenberg, whose hard work made this submission possible.  I would like to particularly thank my colleague David Hirsch, who has been instrumental not only to this submission, but also provides valuable support to my office's overall approach to digital assets.  We are also grateful to a variety of industry experts and attorneys who generously shared their time and ideas, and helped deepen my understanding of these questions.  And finally, thanks to Dr. Matthias Artzt, Sandra Ro, and all the editors of The International Journal of Blockchain Law.  The views I express herein are my own and do not necessarily reflect the views of the Commission, my fellow Commissioners, or the SEC Staff.

[2] Composable refers to the ability to link smart contracts and build on existing modular code, which leads some to refer to DeFi applications as money Legos.  See Quantstamp Labs, DeFi's Composability: More Possibility, More Risk, (last visited Nov. 8, 2021).  The term interoperable describes the ability to use DeFi protocols and applications across platforms and smart contracts.  See Fabian Schär, Decentralized Finance: On Blockchain and Smart Contract-Based Financial Markets, Fed. Res. Bank St. Louis Rev. 153 (Feb. 5. 2021).

[3] In addition to the securities law issues addressed in this article, regulators have also raised concerns about DeFi projects' failures to comply with rules relating to anti-money laundering, combating the financing of terrorism, tax compliance, the Commodity Exchange Act, and other issues.  While not the primary focus of this article, I share some of those same concerns.

[4] The DeFi market overall has grown dramatically.  DeFi today has more than $101 billion in total value locked, representing rapid expansion since September 2020 when that figure stood at $19.5 billion.  See Marketforces Africa, DeFi Market Soared 335% to $85 Billion, (last visited Nov. 8, 2021).

[5] See Schär, supra note 3, at 164.

[6] Id. at 165.

[7] Id. at 162.

[8] I listened to a recent podcast in which a young developer acknowledged that humans as a species are attracted to high returns, but are also bad at considering risk in choosing where to invest and at what price.  He also said that people were mortgaging their homes to free up funds with which to invest in DeFi, and that he was concerned the outcome could be scary.  Without reference to this specific person, it seems like common knowledge that some retail investors are taking on huge exposure in DeFi without understanding the risk or having the ability to price for it.  Developers should build systems that are compliant with important regulatory and policy frameworks so that investors have all material information, including about the potential risks, and are protected from misconduct that puts them at a disadvantage. 

[9] See Nic Carter & Linda Jeng, DeFi Protocol Risks: The Paradox of DeFi, RiskBooks (forthcoming 2021).

[10] For activity within the SEC's jurisdiction, compliance with the investor protections of the Securities Act of 1933 and the Securities and Exchange Act of 1934 requires important disclosures. 

[11] There is a great deal of academic research into network effects and how network adoption and engagement benefits the value of networks.  I would be interested in research that studies how fraud and other violations of trust within a network impact that network's value by reducing adoption and engagement, and the potential for this impact to extend to competing networks.

[12]  The U.S. government has dedicated significant resources to providing feedback, supporting innovation, and developing in-house expertise to ensure regulatory approaches are based on an accurate understanding of the technology.  For example, the SEC has a FinHub, and a number of other authorities have innovation initiatives that engage with market participants and study the technology. 

[13] See Melanie Waddell, State Securities Regulators Report Tripling of Digital Asset Enforcement Actions, ThinkAdvisor (last visited Nov. 8, 2021).

[14] At the SEC we have existing laws and rules that guide our approach and are shaped by court interpretations.  Rather than proactively labeling every investment vehicle as a security or not a security, we look at specific facts and circumstances and apply the law based on that analysis.  We do not have a measuring box like at airports, where if a bag fits inside it can be carried on, and otherwise must be checked.  That type of mechanical jurisdictional test might be easier to apply and yield a faster conclusion, but ultimately would require us to revise the test and adapt the rules every time a new type of investment is introduced or changes in form.  Considering that we regulate capital markets exceeding $110 trillion, made up of tens of thousands of entities, that type of proactive "define everything" approach is too rigid, and markets are too large, for it to be workable.  Our statutes recognize that and provide for a flexible, principles-based approach, but one that also inherently requires a more detailed analysis to determine whether specific conduct or assets are within the SEC's jurisdiction. 

[15] My responsibility extends to conduct within the SEC's jurisdiction, and my able colleagues at sibling agencies are responsible for other types of conduct. 

[16] See SEC Strategic Hub for Innovation and Financial Technology ("FinHub").

[17] FinHub comprises representatives across the SEC's Divisions, and so those meetings includes access to a broad range of experts.  FinHub is also an important resource to the Commission as it considers policy choices.    

[18] Coming in to speak with SEC staff does not provide amnesty for violative conduct.  It is, however, an important path to help projects identify potential SEC regulatory compliance issues, discuss possible solutions, and develop a plan to operate legally.  To the extent a project team has already been operating outside of compliance, working with staff to prevent future violations may also position it to more quickly and inexpensively resolve any potential enforcement action for related past violations.  Our Division of Enforcement considers cooperation when determining what remedies to recommend for violative conduct and we have agreed to settle multiple cases with reduced or no penalties in response to self-reporting violations, including in the digital assets space.  See, e.g., In the Matter of Gladius Networks, Order Instituting Cease and Desist Proceedings, Securities Act Release No. 10608 (Feb. 20, 2019). 

[19] See In the Matter of Blockchain Credit Partners d/b/a DeFi Money Market, Gregory Keough, and Derek Acree, Order Instituting Cease and Desist Proceedings, Securities Act Release No. 10961 (Aug. 6, 2021).

[20] I recognize that DeFi has experienced significant asset price appreciation, and that is part of what motivated me to write this.  The impacts of the information disparities or market conduct on retail investors may not be easy to see until the next DeFi market downturn or crisis. 

[21] Joel Khalil, Investing in DeFi is Seriously Risky But Maybe It Doesn't Have to Be, Techradar.com (last visited Nov. 8, 2021) (describing "[h]igh transaction fees, market volatility and security incidents linked with vulnerabilities in smart contracts" as risks that are more pronounced for retail investors).

[22] Kevin Werbach, Finance 3.0: DeFi, Dapps, and the Promise of Decentralized Disruption, The Reboot (last visited Nov. 8, 2021).

[23] See 15 U.S.C. § 78i (2018). 

[24] In a recent speech I requested input from digital assets market participants.  See Caroline Crenshaw, Commissioner, Sec. & Exch. Comm'n, Digital Asset Securities - Common Goals and a Bridge to Better Outcomes (Oct. 12, 2021).  Unfortunately, that has not yet yielded much of a response from a community that often says it lacks necessary guidance from the SEC, among others.  My door remains open, and I welcome your ideas.  I've created a dedicated mailbox for this purpose: crenshaw-defi@sec.gov. 

Good morning, everyone and thank you for inviting me to deliver the Scott Friestad Memorial Keynote address. I didn't have the privilege of knowing Scott, but in my few months as Director, I've frequently heard his name, and I've noticed that it is always uttered with respect and affection. Staff considered him a leader, a model Enforcement attorney, a mentor, and a friend. I'm honored to deliver this address that bears his name.

It's also a privilege to address so many of our foreign counterparts. As our economies and securities markets become increasingly interconnected, it's important that we continue to support each other in our shared mission of protecting investors and maintaining market integrity. I thank you all for your partnership and I look forward to continuing to find new ways to collaborate.

Before I continue, I must provide the standard disclaimer that my remarks today express my views, and do not necessarily reflect those of the Commission, the Commissioners, or other members of the staff.[1]

Given that we are all here virtually in London today, I thought it appropriate to begin my remarks by quoting from Lewis Carroll's well-known and much-loved poem, The Hunting of the Snark:

"Just the place for a Snark!" the Bellman cried,

As he landed his crew with care;

Supporting each man on the top of the tide

By a finger entwined in his hair.

"Just the place for a Snark! I have said it twice:

That alone should encourage the crew.

Just the place for a Snark! I have said it thrice:

What I tell you three times is true."

While literary scholars classify this poem as "nonsense poetry," they've nevertheless debated its meaning for over two centuries. To many, this particular stanza underscores an important concept: the idea that repetition can be used as grounds for truth. Repetition, after all, is a persuasive technique used regularly by effective orators and children alike to make convincing and, on occasion in my home, winning arguments. That's because repeated information is often perceived as more truthful than new information. But as we all know, just because a statement is made repeatedly doesn't necessarily make it true. In my case, no matter how many times my children promised they'd take care of the dog if we got one, it's never happened.

So what does the Snark have to do with the enforcement of U.S. securities laws? In my three months in this role, I have heard more than three times the refrain that we are "regulating by enforcement." In particular, I've heard it when we, as regulators, are contending with emerging challenges, technologies or investment products. Lewis Carroll notwithstanding, I don't find this to be the case.

Since its founding more than 85 years ago, the SEC has stayed true to its three-part mission of protecting investors, maintaining fair, orderly and efficient markets, and facilitating capital formation. Central to that mission is the work of the SEC's Division of Enforcement. Our staff work tirelessly day in and day out to investigate possible violations of the federal securities laws and to prosecute the Commission's civil suits in the federal courts and in administrative proceedings. And the tools we use consist of statutes enacted by the United States Congress and the rules adopted by the SEC pursuant to those statutes, subject, of course, to judicial interpretations of these statutes and rules by the courts of original and appellate jurisdiction before which SEC staff appear throughout the United States.

And so it was this past fiscal year; a year in which, even with all of the challenges presented by the global pandemic, we brought more standalone enforcement actions than in the prior fiscal year.[2] That is not "regulating by enforcement"; it's using all of our tools to pursue wrongdoers, protect investors, and fulfill our mission. 

But these days, most often in the context of crypto matters and our investigations of certain ESG - or environmental, social, and governance - related products and services, we hear that we should avoid "regulation by enforcement." I'd like to touch upon both areas today. With respect to crypto, let me first be clear that we encourage and welcome the use of new technologies for capital formation. They have the potential to make our markets more efficient and dynamic, and to increase access for investors. But - equally importantly - all securities offered or sold to U.S. investors - regardless of their form or name - must comply with the U.S. securities laws. The purpose here is to protect investors and the integrity of our markets by ensuring that investors are provided proper disclosures and the products are subject to regulatory scrutiny. 

More than four years have passed since we formed the Cyber Unit within the Enforcement Division.[3] In that time, an important area of focus for the Division, and the Cyber Unit in particular, has been digital assets and initial coin offerings - or "ICOs." We have brought dozens of cases concerning fraudulent and unregistered ICOs, and related touting violations - and we will continue that focus.[4]

We have also focused on market intermediaries who facilitate trading in unregistered securities, including unregistered securities exchanges and broker-dealers. For example, we recently brought settled charges against a web-based trading platform that facilitated buying and selling of digital asset securities, for operating as an unregistered online digital asset exchange.[5] And we have been on the lookout for platforms that illegally tout digital asset securities because promoting securities in exchange for undisclosed compensation is illegal, regardless of whether the security is a stock, a bond, or a digital asset.[6]

Importantly, in many of these cases, we have been able to secure meaningful relief for defrauded investors. For example, in addition to monetary relief, we have obtained undertakings that require issuers of digital asset securities to destroy tokens in their possession, request removal of tokens from trading platforms, publish the SEC's order on social media channels, and refrain from participating in future digital asset offerings.[7]

The threshold issue in each of these cases is whether the digital asset or token is a security, and therefore subject to the registration and disclosure requirements of the federal securities laws. Congress defined "security" all the way back in the 1930s to include, among other things, "investment contracts" and "notes." A decade later, in 1946, the U.S. Supreme Court held in SEC v. Howey, that an investment contract exists when there is an "investment of money in a common enterprise with profits to come solely from the efforts of others."[8] And more than 30 years ago, in 1990, the Supreme Court held in Reves v. Ernst & Young that a note is presumed to be a security unless it bears a strong "family resemblance" to certain judicially crafted exceptions to notes that are not securities.[9]

In the intervening decades, courts have time and again affirmed the Howey and Reves tests in connection with a wide range of investment vehicles - including, at issue in Howey, citrus groves. The Howey court showed great foresight in describing the Howey test as "flexible" and "capable of adaptation to meet the countless and variable schemes devised by those who seek to use the money of other on the promise of profits."[10]

And courts have done just that in the crypto space. For example, recently, a federal district court in New York held in SEC v. Kik Interactive Inc. that the "Kin" token was an investment contract under Howey, and therefore a "security." The court went on to find that Kik, the issuer, had violated the federal securities laws when it conducted an unregistered offering that did not qualify for any exemption from registration requirements.[11]  

The Kik decision made a couple points that are worth highlighting here in that they show that the court looked to the token's substance over its form in reaching the conclusion that it is a security. First, in response to Kik's argument that the term "investment contract" was unconstitutionally vague as applied to Kik, the court stated that "Howey provides a clearly expressed test for determining what constitutes an investment contract, and an extensive body of case law provides guidance on how to apply that test to a variety of factual scenarios."[12]

In other words, the regulations we apply when investigating possible misconduct in the crypto space are long-standing and well-established. The court also dismissed Kik's argument that the SEC had failed to issue guidance on securities enforcement related specifically to cryptocurrencies, stating that "the law does not require the Government to reach out and warn all potential violators on an individual or industry level."[13]

Nevertheless, the Commission has not only issued guidance concerning the potential applicability of the U.S. securities laws to distributed ledger technology and digital assets,[14] but also investor alerts about the risks associated with investing in digital asset securities.[15]

So, to borrow from Lewis Carroll a bit with license-regardless of whether you call your new product a "Snark," "Boojum," or "Jubjub" coin doesn't take it outside of our securities regime. As Chair Gensler aptly stated at the Aspen Security Forum this summer: "Make no mistake:  It doesn't matter whether it's a stock token, a stable value token backed by securities, or any other virtual product that provides synthetic exposure to underlying securities. These products are subject to the securities laws and must work within our securities regime."[16] And investor protection requires us to use our well-established tools to examine the substance, or the economic realities, of the transaction or offering.

In other words, just because you give something a label - perhaps in an attempt to avoid securities regulation - doesn't make it so. This is evident from a recent case we filed against a so-called "decentralized finance," or "DeFi," lender. In that case, we charged two Florida men and their Cayman Islands company for unregistered sales of more than $30 million of securities and for misleading investors concerning the operations and profitability of their business, which, as it turns out, was neither decentralized nor finance.[17] It was plain fraud.

We also recently brought a case against a so-called online crypto "lending program."[18] The SEC alleged that the defendants in that case raised $2 billion based on false representations to investors that the lending program would deploy its "volatility software trading bot" to generate exorbitantly high returns for investors. But, according to the complaint, rather than deploy investor funds for trading with the purported trading bot, the defendants siphoned investors' funds off for their own benefit.

Again-for the third time-just because you call a project "decentralized" or a "lending program" or "stable" will not dictate how and whether we look at it. Investor protection requires more. Because as SEC Commissioner Caroline Crenshaw recently observed, had we not brought our existing tools to bear during "the Initial Coin Offering or ICO boom of 2017 and 2018, [] the results would have been even worse for investors and the markets. ICOs and other digital asset offerings raised billions from investors, but most never delivered on their promises. Investors suffered the losses."

We're also starting to hear the popular refrain "regulation by enforcement" in the context of ESG. ESG issues, including business risks posed by climate issues, have become increasingly important to issuers' financial health and investors' investment decisions.[19] In response, issuers have begun to disclose more information on ESG and climate-related issues. Investment advisers - both U.S. and foreign - have likewise begun to offer more investment products and financial services that claim to incorporate ESG. At the same time, as our European counterparts well know, greenwashing has emerged as an investor protection concern.[20]  

To sharpen our focus in this area, earlier this year we announced the formation of the Climate and ESG Task Force within the Division of Enforcement.[21] The Task Force works closely with the other SEC Divisions and Offices to proactively detect climate and ESG-related misconduct. But there is nothing "new" about how the Task Force - or the Enforcement Division as a whole - investigates possible climate and ESG-related misconduct.  

As with any investigation, we look to make sure our current rules and laws are being followed. For issuers, this means that we apply long-standing principles of materiality and disclosure. If an issuer chooses to speak on climate or ESG - whether in an SEC filing or elsewhere - it must ensure that its statements are not materially false or misleading, or misleading because they omit material information - just as it would when disclosing information in its income statement, balance sheet, or cash flow statement.  

And in the asset management space, it means we apply long-standing principles regarding fiduciary duties and honest disclosure regarding how products will be managed. If an asset manager is marketing an ESG fund or strategy, it must do so in a way that's not materially false or misleading while adhering to client mandates and restrictions - just as it would when marketing any fund or strategy. Asset managers must also adhere to the requirement to adopt and implement written compliance policies and procedures that are reasonably designed to prevent violations of our laws.

This is not a new mandate for us. In 2008, the Commission filed a settled case against Pax World Management, an SEC-registered investment adviser to several socially responsible mutual funds.[22] The SEC found that Pax World told investors and the boards of the mutual funds it advised that it complied with various "socially responsible investing" restrictions. Those restrictions precluded Pax World from purchasing for the funds securities issued by companies involved with producing weapons, alcohol, tobacco or gambling products. This likely was the primary reason many investors chose to invest in these funds. 

But, contrary to what Pax World had promised, it purchased at least 10 securities that were prohibited under the funds' socially responsible investing restrictions. The SEC found that by failing to comply with the funds' restrictions, Pax World breached its fiduciary duty to its clients and violated certain anti-fraud and false filing provisions of the federal securities laws.

More recently, in late 2020, the SEC brought a settled case against Fiat Chrysler for violating the reporting provisions of the federal securities laws by making materially misleading statements about their vehicles' emissions.[23] The SEC's order found that, in the wake of the Volkswagen diesel emissions scandal, Fiat Chrysler issued a press release and an annual report, both of which stated that an internal audit confirmed the company's vehicles complied with environmental regulations concerning emissions. These statements were misleading because they failed to disclose the limited scope of the internal audit and that it was not a comprehensive review of compliance with emissions regulations. In fact, by the time Fiat Chrysler made these misleading statements, U.S. environmental regulators had raised concerns to Fiat Chrysler about the emissions systems in certain of its diesel vehicles.

While I could cite a third matter to keep with the Bellman's rule of three, I'll leave it at these two cases, which demonstrate that the requirements that companies' disclosures be accurate and not misleading, and that investment advisers adhere to their fiduciary duty and accurately describe their investment strategies, are not new, and should be of surprise to no one.

Although the focus of the Enforcement Division may change and evolve over time depending on issues facing and of importance to investors, companies, and the economy as a whole, or in response to new and emerging technologies and investment products, we will continue to apply long-standing, well-known and understood regulations and standards that govern the securities industry when investigating possible misconduct. 

This is not "regulation by enforcement."

This is not "regulation by enforcement."

This is not "regulation by enforcement."

There. I have said it thrice and what I tell you three times is true.

Thank you for inviting me to speak today and please enjoy the rest of your conference.

= = = = =

 

[1] The Securities and Exchange Commission disclaims responsibility for any private publication or statement of any SEC employee or Commissioner. This speech expresses the author's views and does not necessarily reflect those of the Commission, the Commissioners, or other members of the staff.

[2] Remarks at SEC Speaks 2021 (Oct. 13, 2021), available at https://www.sec.gov/news/speech/grewal-sec-speaks-101321.

[3] Press Release 2017-176, SEC Announces Enforcement Initiatives to Combat Cyber-Based Threats and Protect Retail Investors (Sept. 25, 2017), available at https://www.sec.gov/news/press-release/2017-176.

[4] https://www.sec.gov/spotlight/cybersecurity-enforcement-actions

[5] Press Release 2021-147, SEC Charges Poloniex for Operating Unregistered Digital Asset Exchange (Aug. 9, 2021), available at https://www.sec.gov/news/press-release/2021-147.

[6] Press Release 2021-125, ICO "Listing" Website Charged With Unlawfully Touting Digital Asset Securities (July 14, 2021), available at https://www.sec.gov/news/press-release/2021-125.

[7] See, e.g., Litigation Release No. 25157, SEC Charges Issuer for Conducting Fraudulent and Unregistered Digital Asset Security Offering (Aug. 4, 2021), available at https://www.sec.gov/litigation/litreleases/2021/lr25157.htm; Press Release 2021-108, SEC Charges ICO Issuer and CEO With Fraud and Unregistered Securities Offering (June 22, 2021), available at https://www.sec.gov/news/press-release/2021-108; Press Release 2020-181, SEC Charges Issuer and CEO With Misrepresenting Platform Technology in Fraudulent ICO (Aug. 13, 2020), available at https://www.sec.gov/news/press-release/2020-181.

[8] SEC v. W.J. Howey Co., et al., 328 U.S. 293 (1946), available at https://supreme.justia.com/cases/federal/us/328/293/.

[9] Reves v. Ernst & Young, 494 U.S. 56 (1990), available at https://supreme.justia.com/cases/federal/us/494/56/.

[10] Howey, 328 U.S. at 299.

[11] SEC v. Kik Interactive Inc., 19 Civ. 5244 (S.D.N.Y. Sept. 30, 2020), available at https://law.justia.com/cases/federal/district-courts/new-york/nysdce/1:2019cv05244/516941/88/.

[12] Id. at 18.

[13] Id. (citations omitted).

[14] See Report of Investigation Pursuant to Section 21(a) of the Securities Exchange Act of 1934: The DAO, Exchange Act Rel. No. 81207, at p. 10 (July 25, 2017).

[15] See Digital Asset and "Crypto" Investment Scams, available at https://www.investor.gov/introduction-investing/general-resources/news-alerts/alerts-bulletins/investor-alerts/digital-asset (Sept. 1, 2021); Funds Trading in Bitcoin Futures, available at https://www.investor.gov/introduction-investing/general-resources/news-alerts/alerts-bulletins/investor-bulletins/funds (June 10, 2021); Initial Exchange Offerings (IEOs), available at https://www.sec.gov/oiea/investor-alerts-and-bulletins/ia_initialexchangeofferings (Jan. 14, 2020); Watch Out for Fraudulent Digital Asset and "Crypto" Trading Websites, available at https://www.investor.gov/introduction-investing/general-resources/news-alerts/alerts-bulletins/investor-alerts/investor-3 (Apr. 24, 2019); Watch Out for False Claims About SEC and CFTC Endorsements Used to Promote Digital Asset Investments, available at https://www.investor.gov/introduction-investing/general-resources/news-alerts/alerts-bulletins/investor-alerts/investor-10 (Oct. 11, 2018); The SEC Has an Opportunity You Won't Want to Miss: Act Now!, available at https://www.sec.gov/news/press-release/2018-88 (May 16, 2018); Initial Coin Offerings, available at https://www.investor.gov/introduction-investing/general-resources/news-alerts/alerts-bulletins/investor-bulletins-16 (July 25, 2017).

[16] Remarks Before the Aspen Security Forum (Aug. 3, 2021), available at https://www.sec.gov/news/public-statement/gensler-aspen-security-forum-2021-08-03.

[17] Press Release 2021-145, SEC Charges Decentralized Finance Lender and Top Executives for Raising $30 Million Through Fraudulent Offerings (Aug. 6, 2021), available at https://www.sec.gov/news/press-release/2021-145.

[18] Press Release 2021-172, SEC Charges Global Crypto Lending Platform and Top Executives in $2 Billion Fraud (Sept. 1, 2021), available at https://www.sec.gov/news/press-release /2021-172.

[19] See Commissioner Allison Herren Lee, Keynote Address at the 2021 Society for Corporate Governance National Conference: Climate, ESG, and the Board of Directors: "You Cannot Direct the Wind, But You Can Adjust Your Sails," at *fn 3-4 (June 28, 2021), available at https://www.sec.gov/news/speech/lee-climate-esg-board-of-directors.

[20] See Regulation (EU) 2019/2088 of the European Parliament and of the Counsel on sustainability-related disclosures in the financial services sector (Nov. 27, 2019), available at https://eur-lex.europa.eu/eli/reg/2019/2088/oj.

[21] Press Release 2021-42, SEC Announces Enforcement Task Force Focused on Climate and ESG Issues (Mar. 4, 2021), available at https://www.sec.gov/news/press-release/2021-42.

[22] Press Release 2008-157, SEC Charges Mutual Fund Manager for Violating Socially Responsible Investing Restrictions (July 30, 2008), available at https://www.sec.gov/news/press/2008/2008-157.html.

[23] Press Release 2020-230, Fiat Chrysler Agrees to Pay $9.5 Million Penalty for Disclosure Violations (Sept. 28, 2020), available at https://www.sec.gov/news/press-release/2020-230.

• Securities Industry Commentator
• Bill Singer