The SEC Has Issued New Guidance On Cybersecurity Disclosures

On February 20, 2018, the SEC issued new interpretative guidance on public company disclosures related to cybersecurity risks and incidents. In addition to addressing public company disclosures, the new guidance reminds companies of the importance of maintaining disclosure controls and procedures to address cyber-risks and incidents and reminds insiders that trading while having non-public information related to cyber-matters could violate federal insider-trading laws.

The prior SEC guidance on the topic was dated, having been issued on October 13, 2011. For a review of this prior guidance, see HERE. The new guidance is not dramatically different from the 2011 guidance.

Introduction

The topic of cybersecurity has been in the forefront in recent years, with the SEC issuing a series of statements and creating two new cyber-based enforcement initiatives targeting the protection of retail investors, including protection related to distributed ledger technology (DLT) and initial coin or cryptocurrency offerings (ICO’s). Moreover, the SEC has asked the House Committee on Financial Services to increase the SEC’s budget by $100 million to enhance the SEC’s cybersecurity efforts. See my two-part blog series, including a summary of the recent speeches and initiatives, HERE and HERE.

The SEC incorporates cybersecurity considerations in its disclosure and supervisory programs, including in the context of its review of public company disclosures, its oversight of critical market technology infrastructure, and its oversight of other regulated entities, including broker-dealers, investment advisors and investment companies. Considering rapidly changing technology and the proliferation of cybersecurity incidents affecting both private and public companies (including a hacking of the SEC’s own EDGAR system and a hacking of Equifax causing a loss of $5 billion in market cap upon disclosure), threats and risks, public companies have been anticipating a needed update on the SEC disclosure-related guidance.

SEC Commissioner Kara Stein’s statement on the new guidance is grim on the subject, pointing out that the risks and costs of cyberattacks have been growing and could result in devastating and long-lasting collateral affects. Commissioner Stein cites a Forbes article estimating that cyber-crime will cost businesses approximately $6 trillion per year on average through 2021 and an Accenture article citing a 62% increase in such costs over the last five years.

Commissioner Stein also discusses the inadequacy of the 2011 guidance in practice and her pessimism that the new guidance will properly fix the issue.  She notes that most disclosures are boilerplate and do not provide meaningful information to investors despite the large increase in the number and sophistication of, and damaged caused by, cyberattacks on public companies in recent years. Commissioner Stein includes a list of requirements that she would have liked to see in the new guidance, including, for example, a discussion of the value to investors of disclosing whether any member of a company’s board of directors has experience, education, expertise or familiarity with cybersecurity matters or risks.

I have read numerous media articles and blogs related to the disclosure of cyber-matters in SEC reports. One such blog was written by Kevin LaCroix and published in the D&O Diary. Mr. LaCroix’s blog points out that according to a September 19, 2016, Wall Street Journal article, cyber-attacks are occurring more frequently than ever but are rarely reported. The article cites a report that reviewed the filings of 9,000 public companies from 2010 to the present and found that only 95 of these companies had informed the SEC of a data breach.

As reported in a blog published by Debevoise and Plimpton, dated September 12, 2016, (thank you, thecorporatecounsel.net), a review of Fortune 100 cyber-reporting practices revealed that most disclosures are contained in the risk-factor section of regular periodic reports such as Forms 10-Q and 10-K, as opposed to interim disclosures in a Form 8-K. Moreover, only 20 incidents were reported at all in the period from January 2013 through the third quarter of 2015.

However, as Commissioner Stein notes, the SEC only has so much authority or power through guidance, as opposed to rulemaking.  Commissioner Stein strongly advocates for new rulemaking in this regard. I do not think in the current environment advocating for fewer rules, that rulemaking related to cybersecurity disclosure will be made a priority. Moreover, I would not advocate for in-depth or robust further rules.  Disclosure is based on materiality, and a company has an ongoing obligation to disclose any material information, including that which is related to cybersecurity matters. I think the SEC can question principals-based specific disclosures, and whether they are robust enough, through review and comment on public company filings.  Certainly, the SEC staff, who reviews thousands of filings, has the knowledge of a lack of cybersecurity disclosure and can comment. In fact, if the SEC wrote a few standard cybersecurity-related disclosure comments and included them in a lot of comment letters, the marketplace would respond accordingly and beef up disclosure to avoid the comments.

Although I do not generally advocate for additional rules, Commissioner Stein makes one suggestion that I would support and that is adding the disclosure of cybersecurity event to the Form 8-K filing requirements. Although the new SEC guidance does not specifically require a Form 8-K, in light of the importance of these events, it seems it would be appropriate and the guidance itself requires “timely disclosure.”  However, without a specific requirement, a company could elect to disclose via a press release and/or the filing of a Form 8-K under Item 7.01 Regulation FD disclosure. When disclosing using a press release and Regulation FD item in a Form 8-K, a company may elect for the information to be “furnished, not filed.” Section 18 of the Exchange Act imposes liability for material misstatements or omissions contained in reports and other information filed with the SEC. However, reports and other information that are “furnished” to the SEC do not impose liability under Section 18. The antifraud provisions under Rule 10b-5 would still apply to the disclosure, but the stricter Section 18 liability would not.

New Guidance on Public Company Cybersecurity Disclosures

The new guidance begins with an introduction describing the importance of cybersecurity in today’s business world, driving the point home by comparing it to the importance of electricity. Cyber-incidents can take many forms, both intentional and unintentional, and commonly include the unauthorized access of information, including personal information related to customers’ accounts or credit information, data corruption, misappropriating assets or sensitive information or causing operational disruption. Attacks use increasingly complex methods, including malware, ransomware, phishing, structured query language injections and distributed denial-of-service attacks. A cyber-attack can be in the form of unauthorized access or a blocking of authorized access.

The purpose of a cyber-attack can vary as much as the methodology used, including for financial gain such as the theft of financial assets, intellectual property or sensitive personal information on the one hand, to a vengeful or terrorist motive through business disruption on the other hand. Perpetrators may be insiders and affiliates, or third parties including cybercriminals, competitors, nation-states and “hacktivists.”

When victim to a cyber-attack or incident, a company will have direct financial and indirect negative consequences, including but not limited to:

  • Remediation costs, including liability for stolen assets, costs of repairing system damage, and incentives or other costs associated with repairing customer and business relationships;
  • Increased cybersecurity protection costs to prevent both future attacks and the potential damage caused by same. These costs include organizational changes, employee training and engaging third-party experts and consultants;
  • Lost revenues from unauthorized use of proprietary information and lost customers;
  • Litigation;
  • Increased insurance premiums;
  • Damage to the company’s competitiveness, stock price and long-term shareholder value; and
  • Reputational damage.

Whereas the 2011 disclosure guidance was conservative in its tone, trying to strike a balance between satisfying the disclosure mandates of providing material information related to risks to the investing community with a company’s need to refrain from providing disclosure that could, in and of itself, provide a road map to the very breaches a company attempts to prevent, the new guidance is more blunt in the critical need to inform investors about material cybersecurity risks and incidents when they occur.

A company’s ability to timely and properly make any required disclosure of cybersecurity risks and incidents requires the company to implement and maintain disclosure controls and procedures that provide an appropriate method of discerning the impact that such matters may have on the company and its business, financial condition, and results of operations, as well as a protocol to determine the potential materiality of such risks and incidents.

Insider Trading

It is also important that public company officers, directors and other insiders respect the importance and materiality of cybersecurity risk and incident knowledge and not trade a company’s security when in possession of non-public information related to cybersecurity matters.  In that regard, companies should include cybersecurity matters in their insider trading policies and procedures. These insider trading policies should (i) guard against trading in the period between when a company learns of a cybersecurity incident and the time it is made public; and (ii) require the timely disclosure of such non-public information.

Guidance

Public companies have many disclosure requirements, including through periodic reports on Forms 10-K, 10-Q and 8-K, through Securities Act registration statements such as on Forms S-1 and S-3 and generally through the antifraud provisions of both the Exchange Act and Securities Act, which requires a company to disclose “such further material information, if any, as may be necessary to make the required statements, in light of the circumstances under which they are made, not misleading.” The SEC considers omitted information to be material if there is a substantial likelihood that a reasonable investor would consider the information important in making an investment decision or that disclosure of the omitted information would have been viewed by the reasonable investor as having significantly altered the total mix of information available.

As with all disclosure requirements, the disclosure of cybersecurity risk and incidents requires a materiality analysis. Although there continues to be no specific disclosure requirement or rule under either Regulation S-K or S-X that addresses cybersecurity risks, attacks or other incidents, many of the disclosure rules encompass these disclosures indirectly, such as risk factors, internal control assessments, management discussion and analysis, legal proceedings, disclosure controls and procedures, corporate governance and financial statements. As mentioned, as with all other disclosure requirements, an obligation to disclose cybersecurity risks, attacks or other incidents may be triggered to make other required disclosures not misleading considering the circumstances.

A company has two levels of cybersecurity disclosure to consider. The first is its controls and procedures and corporate governance to both address cybersecurity matters themselves and to address the timely and thorough reporting of same. The second is the reporting of actual incidents.  In determining the materiality of a particular cybersecurity incident, a company should consider (i) the importance of any compromised information; (ii) the impact of an incident on company operations; (iii) the nature, extent and potential magnitude of the event; and (iv) the range of harm such incident can cause, including to reputation, financial performance, customer and vendor relationships, litigation or regulatory investigations.

Of course, the new guidance is also clear that a company would not need to disclose the depth of information that could, in and of itself, provide information necessary to breach cyber-defenses. A company would not need to disclose specific technical information about cybersecurity systems, related networks or devices or specific devices and networks that may be more susceptible to attack due to weaker systems.

The new guidance also reminds companies that they have a duty to correct prior disclosures that the company determines were untrue at the time material information was made or omitted, and to update disclosures that become inaccurate after the fact.

Like the prior guidance, the new guidance provides specific input into areas of disclosure.

Risk Factors

Obviously, where appropriate, cybersecurity risks need to be included in risk factor disclosures. The SEC guidance in this regard is very common-sense. Companies should evaluate their cybersecurity risks and take into account all available relevant information, including prior cyber-incidents and the severity and frequency of those incidents. Companies should consider the probability of an incident and the quantitative and qualitative magnitude of the risk, including potential costs and other consequences of an attack or other incident.  Consideration should be given to the potential impact of the misappropriation of assets or sensitive information, corruption of data or operational disruptions. A company should also consider the adequacy of preventative processes and plans in place should an attack occur.  Actual threatened attacks may be material and require disclosure.

As with all risk-factor disclosures, the company must adequately describe the nature of the material risks and how such risks affect the company. Likewise, generic risk factors that could apply to all companies should not be included. Risk factor disclosure may include:

  • Discussion of the company’s business operations that give rise to material cybersecurity risks and the potential costs and consequences, including industry specific risks and third-party and service-provider risks;
  • The costs associated with maintaining cybersecurity protections, including insurance coverage;
  • The probability of an occurrence and its potential magnitude;
  • Potential for reputational harm;
  • Description of past incidents, including their severity and frequency;
  • The adequacy of preventative actions taken to reduce cybersecurity risks and the associated costs, including any limits on the company’s ability to prevent or mitigate risks;
  • Existing and pending laws and regulations that may affect the companies cybersecurity requirements and the associated costs; and
  • Litigation, regulatory investigation and remediation costs associated with cybersecurity incidents.

Management Discussion and Analysis (MD&A)

In MD&A a company should consider all the same factors that it would consider in its risk factors.  A company would need to include discussion of cybersecurity risks and incidents in its MD&A if the costs or other consequences associated with one or more known incidents or the risk of potential future incidents result in a material event, trend or uncertainty that is reasonably likely to have a material effect on the company’s results of operations, liquidity or financial condition, or could impact previously reported financial statements. The discussion should include any material realized or potential reduction in revenues, loss of intellectual property, remediation efforts, maintaining insurance, increase in cybersecurity protection costs, addressing harm to reputation and litigation and regulatory investigations.  Furthermore, even if an attack did not result in direct losses, such as in the case of a failed attempted attack, but does result in other consequences, such as a material increase in cybersecurity expenses, disclosure would be appropriate.

Business Description; Legal Proceedings

Disclosure of cyber-related matters may be required in a company’s business description where they affect a company’s products, services, relationships with customers and suppliers or competitive conditions. Likewise, material litigation would need to be included in the “legal proceedings” section of a periodic report or registration statement. The litigation disclosure should include any proceedings that relate to cybersecurity issues.

Financial Statements

Cyber-matters may need to be included in a company’s financial statements prior to, during and/or after an incident. Costs to prevent cyber-incidents are generally capitalized and included on the balance sheet as an asset. GAAP provides for specific recognition, measurement and classification treatment for the payment of incentives to customers or business relations, including after a cyber-attack.  Cyber-incidents can also result in direct losses or the necessity to account for loss contingencies, including those related to warranties, direct loss of revenue, providing customers with incentives, breach of contract, product recall and replacement, indemnification or remediation. Incidents can result in loss of, and therefore accounting impairment to, goodwill, intangible assets, trademarks, patents, capitalized software and even inventory.  Financial statement disclosure may also include expenses related to investigation, breach notification, remediation and litigation, including the costs of legal and other professional service providers.

Broad Risk Oversight

A company must disclose the extent of its board of directors’ role in the risk oversight of the company, such as how the board administers its oversight function and the effect this has on the board’s leadership structure. To the extent cybersecurity risks are material to a company’s business, this discussion should include the nature of the board’s role in overseeing the management of that risk. Information should also be included on how the board engages with management on cybersecurity risk management.

Controls and Procedures

The new guidance clearly provides that companies should adopt comprehensive policies and procedures related to cybersecurity and to assess their compliance regularly, including policy/procedure compliance related to the sufficiency of disclosure controls and procedures.  Procedures must address a company’s ability to record, process, summarize and report financial and other information in SEC filings.  Additionally, any deficiency in these controls and procedures should be reported.

The SEC reminds companies that their principal executive officer and principal financial officer must make individual certifications regarding the design and effectiveness of disclosure controls and procedures. These certifications should take into account cybersecurity-related controls and procedures.

Furthermore, as discussed above, a company should have proper policies and procedures preventing officers, directors and other insiders from trading on material nonpublic information related to cybersecurity risks and incidents.

Regulation FD and Selective Disclosure

Companies may have disclosure obligations under Regulation FD related to cybersecurity matters. Under Regulation FD, “when an issuer, or person acting on its behalf, discloses material nonpublic information to certain enumerated persons it must make public disclosure of that information.” The SEC reminds companies that these requirements also relate to cybersecurity matters and that, along with all the other disclosure requirements, policies and procedures should specifically address any disclosures of material non-public information related to cybersecurity.

The 2017 SEC Government-Business Forum On Small Business Capital Formation

On November 30, 2017, the SEC held its annual Government-Business Forum on Small Business Capital Formation (the “Forum”). It will be several months until the final report with recommendations from the forum is published, but the opening remarks from SEC Chair Jay Clayton and Commissioners Kara Stein and Michael Piwowar provide ongoing and consistent guidance as to the current focus of the SEC. For a review of the recommendations by last year’s forum, see HERE.

As expected, the topics of cryptocurrency and ICO’s were front and center at the Forum. In his opening remarks at the Forum, Division of Corporation Finance Director William Hinman confirmed that the SECbelieves that ICO’s generally involve securities offerings and that the securities laws must be complied with. Hinman continued that the SEC is providing guidance through enforcement and public statements on the topic.

As with other statements and speeches, the SEC hedges by pointing out the validity of an ICO as a capital raising tool, and of course, the innovation potential of blockchain. The SEC is not trying to discourage ICO’s or blockchain innovation; they are trying to discourage ICO’s that fail to comply with securities laws, and the unfortunate, multiple frauds being perpetuated as a result of the frenzy surrounding this new technology.

Remarks by Chairman Jay Clayton

Chair Clayton is consistent with the theme he has been putting forth since taking office: The SEC is committed to helping Main Street investors. The Forum provides a key opportunity for the small-cap marketplace to have their voices heard regarding issues and desired changes to federal securities regulations and the regulatory system.

Chair Clayton reiterates the SEC’s three-part mission to (i) protect investors; (ii) maintain fair, orderly and efficient markets; and (iii) facilitate capital formation. Furthermore, although capital formation is important for all businesses, small and medium-sized businesses contribute the most to U.S. job creation, generating 62% of new jobs. Along the same lines, the SEC wants to open more investment opportunities into small businesses for Main Street investors. In that regard, Jay Clayton points out the Regulation A public offering process. As an aside, I was happy to see him recognize Regulation A as an IPO, whereas when he first took office, he seemed to view Regulation A as outside the IPO realm.

Remarks by Commissioner Michael Piwowar

Michael Piwowar’s statement was short and pointed. As anyone that follows my blog knows, I am a fan of Piwowar, agreeing with most of his views, and more so his willingness to express those views, even when contrary to other SEC chiefs or the legislature. Mr. Piwowar has been vocal about his disagreement with the pay ratio disclosure requirements mandated by the Dodd-Frank Act and uses his statement as an opportunity to reiterate that view, while pointing out that the recent interpretative guidance on the subject will help with the compliance burden. I have not written about that guidance as of yet, but my prior blog on the pay ratio rules can be read HERE.

Commissioner Piwowar also points out other SEC actions to assist with small businesses and capital formation, including the newest proposed rules to modernize and simplify disclosures (see HERE) and the SEC’s action to allow all companies to file confidential registration statements (see HERE).

Commissioner Piwowar ends his statement by promising that he will personally give careful consideration to this year’s recommendations of the Forum. I hope so, as the recommendations are always on point to assist the small-cap marketplace.

Remarks by Commissioner Kara Stein

Commissioner Stein began with the usual niceties regarding the forum and its importance for communication between regulators and the small-cap market. Adding her own perspective, Commissioner Stein points out that a lot of the SEC’s effort and rules are “designed to facilitate trust between… market participants – the small businesses seeking to raise capital, the investors who wish to support their growth, and their service providers.”  Continuing to add her own unique voice, Ms. Stein talked about the need for diversity of companies and investors and bringing capital raising (and a voice in the process) to different parts of the country.

The Senate Banking Committee’s Hearing On Cryptocurrencies

On February 6, 2018, the United States Senate Committee on Banking Housing and Urban Affairs (“Banking Committee”) held a hearing on “Virtual Currencies: The Oversight Role of the U.S. Securities and Exchange Commission and the U.S. Commodity Futures Trading Commission.” Both SEC Chairman Jay Clayton and CFTC Chairman J. Christopher Giancarlo testified and provided written testimony. The marketplace as a whole had a positive reaction to the testimony, with Bitcoin prices immediately jumping up by over $1600. This blog reviews the testimony and provides my usual commentary.

The SEC and CFTC Share Joint Regulatory Oversight

The Banking Committee hearing follows SEC and CFTC joint statements on January 19, 2018 and a joint op-ed piece in the Wall Street Journal published on January 25, 2018 (see HERE). As with other areas in capital markets, such as swaps, the SEC and CFTC have joint regulatory oversight over cryptocurrencies. Where the SEC regulates securities and securities markets, the CFTC does the same for commodities and commodity markets.

Bitcoin has been determined to be a commodity and as such, the CFTC has regulatory oversight over futures, options, and derivatives contracts on virtual currencies and has oversight to pursue claims of fraud or manipulation involving a virtual currency traded in interstate commerce. Nevertheless, the CFTC does NOT have regulatory jurisdiction over markets or platforms conducting cash or “spot” transactions in virtual currencies or other commodities or over participants on such platforms. These spot virtual currency or cash markets often self-certify or are subject to state regulatory oversight. However, the CFTC does have enforcement jurisdiction to investigate fraud and manipulation in virtual currency derivatives markets and in underlying virtual currency spot markets.

The SEC does not have jurisdiction over currencies, including true virtual currencies. However, many, if not all, token offerings have been for the purpose of raising capital and have involved speculative investment contracts, thus implicating the jurisdiction of the SEC, in the offering and secondary trading markets.

Chair Clayton repeated that “every ICO I’ve seen is a security,” and added, “[T]hose who engage in semantic gymnastics or elaborate re-structuring exercises in an effort to avoid having a coin be a security are squarely in the crosshairs of our enforcement division.” Chair Clayton is very concerned that Main Street investors are getting caught up in the hype and investing money they cannot afford to lose, without proper (if any) disclosure, and without understanding the risks.  He also reiterates previous messaging that to date no ICO has been registered with the SEC and that ICO’s are international in nature such that the SEC may not be able to recover lost funds or effectively pursue bad actors. Cybersecurity is also a big risk associated with ICO investments and the cryptocurrency market as a whole. Chair Clayton cites a study that more than 10% of total ICO proceeds, estimated at over $400 million, has been lost to hackers and cyberattacks.

It is becoming increasingly certain that the U.S. will impose a new regulatory regime over those tokens that are not a true cryptocurrency, which would likely include all tokens issued on the Ethereum blockchain for capital raising purposes. Clayton made the distinction between Bitcoin, which is decentralized, on a public Blockchain and mined or produced by the public and other “securities tokens” which are the cryptocurrencies that developed by an organization and created and issued primarily for capital formation and secondary trading.

Many tokens are being fashioned that outright and purposefully resemble equity in an enterprise as a new way to represent equity and capital ownership. Clearly this falls directly within the SEC jurisdiction, and state corporate regulatory oversight as well. Furthermore, there are instances where a token is issued in a capital-raising securities offering and later becomes a commodity, or instances where a token securities offering is bundled to include options or futures contracts, implicating both SEC and CFTC compliance requirements.

In the Banking Committee testimony, the SEC and CFTC presented a united front, confirming that they are cooperating and working together to ensure effective oversight. Both agencies have established virtual currency task forces and their respective enforcement divisions are cooperating and sharing information. Also, both agencies have launched efforts to educate the public on virtual currencies, with the CFTC publishing numerous articles and creating a dedicated “Bitcoin” webpage.

In addition to cooperating with each other, they are also cooperating and communicating with the NASAA, the Consumer Financial Protection Bureau, FinCen, the IRS, state regulators and others.

The Technology

Consistent with all statements by the regulators, both the SEC and CFTC agree that that blockchain technology is disruptive and has the potential to, and likely will, change the capital markets. Moreover, both agencies consistently reiterate their support of these changes and desire to foster innovation.  In fact, the new technology has the potential to help regulators better monitor transactions, holdings and obligations and other market activities.

Chair Giancarlo’s testimony states that “DLT is likely to have a broad and lasting impact on global financial markets in payments, banking, securities settlement, title recording, cyber security and trade reporting and analysis. When tied to virtual currencies, this technology aims to serve as a new store of value, facilitate secure payments, enable asset transfers, and power new applications.” In addition, smart contracts have the ability to value themselves in real time and report information to data repositories.

However, regulation and oversight need to be fashioned that properly address the new technology and business operations. Both agencies are engaging in discussions with industry participants at all levels. A few of the key issues that will need to be resolved include custody, liquidation, valuation, cybersecurity at all levels, governance, clearing and settlement, and anti-money laundering and know-your-customer matters.

Overall, Chair Giancarlo seemed more positive and excited about blockchain and Bitcoin, pointing out current uses including a recent transaction where 66 million tons of American soybeans were handled in a blockchain transaction to China. Chair Clayton, while likely also very enthusiastic about the technology, is currently more focused on the fraud and misuse that has consumed this space recently.

Current Regulations and Needed Change

While the agencies investigate and review needed changes to the regulatory environment, both maintain that current regulations can be relied upon to address the current state of the market. On the SEC side, Chair Clayton walked the Banking Committee through previous SEC statements and the DAO Section 21(a) report issued in July 2017. He again confirmed that the Howey Test remains the appropriate standard for determining whether a particular token involves an investment contract and the application of the federal securities laws. The current registration and exemption requirements are also appropriate for ICO offerings. An issuer can either register an offering, or rely on exemptions such as Regulation D for any capital-raising transaction, including those involving tokens.

Conversely, the current regulatory framework related to exchange traded fund products (ETF’s) needs some work before a virtual currency product could be approved. Issues remain surrounding liquidity, valuation, custody of holdings, creation, redemption and arbitrage. In that regard, in a coming blog, I will review an SEC letter dated January 18, 2018 entitled “Engaging on Fund Innovation and Cryptocurrency-related Holdings” outlining why a crypto-related ETF would not be approved at this time.  Senator Mark Warner was quick to point out that there seems to be a regulatory disconnect where an SEC governed ETF is not approved, but a CFTC-governed Bitcoin future is allowed.

The current federal broker-dealer registration requirements remain the best test to determine if an exchange or other offering participant is required to be registered and a member of FINRA. Chair Clayton repeats his warning shot to gatekeepers such as attorneys and accountants that are involved in ICO’s and the crypto marketplace as a whole. Chair Clayton expresses concern that crypto markets often look similar to regulated securities markets and even are called “exchanges”; however, “investors transacting on these trading platforms do not receive many of the market protections that they would when transacting through broker-dealers on registered exchanges or alternative trading systems (ATSs), such as best execution, prohibitions on front running, short sale restrictions, and custody and capital requirements.”

CFTC Chair Giancarlo reiterated that current regulations related to futures, options, and derivatives contracts, and the registration (or lack thereof through self-certification) of spot currency exchanges are being utilized in the virtual currency market. However, the part of the regulatory system that completely defers to state law may need change. In particular, check cashing, payment processing and money transmission services are primarily state regulated. Many of the Internet-based cryptocurrency trading platforms have registered as payment services and are not subject to direct oversight by the SEC or the CFTC, and both agencies expressed concern about this jurisdictional gap.

Giancarlo was especially critical of this state-by-state approach and suggested new federal legislation, including legislation related to data reporting, capital requirements, cybersecurity standards, measures to prevent fraud, price manipulation, anti-money laundering, and “know your customer” protections. “To be clear, the CFTC does not regulate the dozens of virtual currency trading platforms here and abroad,” Giancarlo said, clarifying that the CFTC can’t require cyber-protections, platform safeguards and other things that consumers might expect from traditional marketplaces.

Chair Clayton expressed the same concerns, especially the lack of protections for Main Street investors. Chair Clayton stated, “I think our Main Street investors look at these virtual currency platforms and assume they are regulated in the same way that a stock is regulated and, as I said, it’s far from that and I think we should address that.”

I am always an advocate of federal oversight of capital markets matters that cross state lines. A state-by-state approach is always inconsistent, expensive, and inefficient for market participants.

Both agencies are clear that regardless of the technology and nomenclature, they are and will continue to actively pursue cases of fraud and misconduct. Current regulations or questions related to needed changes do not affect this role. However, Chair Clayton did impress upon the Banking Committee that the current hiring freeze and budgetary restraints are an impediment. The SEC specifically needs more attorneys in their enforcement and trading and markets divisions.

Further Reading on DLT/Blockchain and ICO’s

For an introduction on distributed ledger technology, including a summary of FINRA’s Report on Distributed Ledger Technology and Implication of Blockchain for the Securities Industry, see HERE.

For a discussion on the Section 21(a) Report on the DAO investigation, statements by the Divisions of Corporation Finance and Enforcement related to the investigative report and the SEC’s Investor Bulletin on ICO’s, see HERE.

For a summary of SEC Chief Accountant Wesley R. Bricker’s statements on ICO’s and accounting implications, see HERE.

For an update on state distributed ledger technology and blockchain regulations, see HERE.

For a summary of the SEC and NASAA statements on ICO’s and updates on enforcement proceedings as of January 2018, see HERE.

For a summary of the SEC and CFTC joint statements on cryptocurrencies, including The Wall Street Journalop-ed article and information on the International Organization of Securities Commissions statement and warning on ICO’s, see HERE.

For a review of the CFTC role and position on cryptocurrencies, see HERE.

Inquiries of a technical nature are always encouraged. Contact us now.

The CFTC And Cryptocurrencies

The SEC and U.S. Commodity Futures Trading Commission (CFTC) have been actively policing the crypto or virtual currency space. Both regulators have filed multiple enforcement actions against companies and individuals for improper activities including fraud. On January 25, 2018, SEC Chairman Jay Clayton and CFTC Chairman J. Christopher Giancarlo published a joint op-ed piece in the Wall Street Journal on the topic.

Backing up a little, on October 17, 2017, the LabCFTC office of the CFTC published “A CFTC Primer on Virtual Currencies” in which it defines virtual currencies and outlines the uses and risks of virtual currencies and the role of the CFTC. The CFTC first found that Bitcoin and other virtual currencies are properly defined as commodities in 2015. Accordingly, the CFTC has regulatory oversight over futures, options, and derivatives contracts on virtual currencies and has oversight to pursue claims of fraud or manipulation involving a virtual currency traded in interstate commerce. Beyond instances of fraud or manipulation, the CFTC generally does not oversee “spot” or cash market exchanges and transactions involving virtual currencies that do not utilize margin, leverage or financing. Rather, these “exchanges” are regulated as payment processors or money transmitters under state law.

The role of the CFTC is substantially similar to the SEC with a mission to “foster open, transparent, competitive and financially sound markets” and to “protect market users and their funds, consumers and the public from fraud, manipulation and abusive practices related to derivatives and other products subject to the Commodity Exchange Act (CEA).” The definition of a commodity under the CEA is as broad as the definition of a security under the Securities Act of 1933, including a physical commodity such as an agricultural product, a currency or interest rate or “all services, rights and interests in which the contracts for future delivery are presently or in the future dealt in” (i.e., futures, options and derivatives contracts).

Where the SEC regulates securities and securities markets, the CFTC does the same for commodities and commodity markets. At times the jurisdiction of the two regulators overlaps, such as related to swap transactions (see HERE). Furthermore, while there are no SEC licensed securities exchanges which trade virtual currencies or any tokens, there are several commodities exchanges that trade virtual currency products such as swaps and options, including the TeraExchange, North American Derivatives Exchange and LedgerX.

The Commodity Exchange Act would prohibit the trading of a virtual currency future, option or swap on a platform or facility not licensed by the CFTC. Moreover, the National Futures Association (NFA) is now requiring member commodity pool operators (CPO’s) and commodity trading advisors (CTA’s) to immediately notify the NFA if they operate a pool or manage an account that engaged in a transaction involving a virtual currency or virtual currency derivative.

The CFTC refers to the IRS’s definition of a “virtual currency” and in particular:

A virtual currency is a digital representation of value that functions as a medium of exchange, a unit of account, and/or a store of value. In some environments it operates like real currency but it does not have legal tender status in the U.S. Virtual currency that has an equivalent value in real currency, or that acts as a substitute for real currency, is referred to as a convertible virtual currency.  Bitcoin is one example of a convertible virtual currency.

I note that neither the CFTC’s definition of Bitcoin as a commodity, nor the IRS’s definition of a virtual currency, conflicts with the SEC’s position that most cryptocurrencies and initial cryptocurrency offerings today are securities requiring compliance with the federal securities laws. The SEC’s position is based on an analysis of the current market for ICO’s and the issuance of “coins” or “tokens” for capital raising transactions and as speculative investment contracts. In fact, a cryptocurrency which today may be an investment contract (security) can morph into a commodity (currency) or other type of digital asset. For example, an offering of XYZ token for the purpose of raising capital to build a software or blockchain platform or community where XYZ token can be used as a currency would rightfully be considered a securities offering that needs to comply with the federal securities laws. However, when the XYZ token is issued and can be used as a form of currency, it would become a commodity. Furthermore, the bundling of a token securities offering to include options or futures contracts may implicate both SEC and CFTC compliance requirements.

The CFTC primer gives a little background on Bitcoin, which was created in 2008 by a person or group using the pseudonym “Satoshi Nakamoto” as an electric payment system based on cryptographic proof allowing any two parties to transact directly without the need for a trusted third party, such as a bank or credit card company. Bitcoin is partially anonymous, with individuals being identified by an alphanumeric address. Bitcoin runs on a blockchain-decentralized network of computers and uses open-source software and “miners” to validate transactions through solving complex algorithmic mathematical equations.

A virtual currency can be used as a store of value; however, virtual currencies are not a yield asset in that they do not generate dividends or interest. Virtual currencies can generally be traded with resulting capital gains or losses. The CFTC, like all regulators, points out the significant speculation and volatility risk. The CFTC reiterates the large incidents of fraud involving crypto marketplaces. Furthermore, there is a significant cybersecurity risk. If a “wallet” holding cryptosecurities is hacked, they are likely gone without a chance of recovery.

Although many virtual currencies, including Bitcoin, market themselves as a payment method, the ability to utilize Bitcoin and other virtual currencies for everyday goods and services has not yet come to fruition. In fact, the trend toward Bitcoin being a regularly accepted payment has seemed to have gone the other way, with payment processor Stripe, tech giant Microsoft and gaming platform Steam discontinuing Bitcoin support due to lengthy transaction times and increased transaction failure rates.

Further Reading on DLT/Blockchain and ICO’s

For an introduction on distributed ledger technology, including a summary of FINRA’s Report on Distributed Ledger Technology and Implication of Blockchain for the Securities Industry, see HERE.

For a discussion on the Section 21(a) Report on the DAO investigation, statements by the Divisions of Corporation Finance and Enforcement related to the investigative report and the SEC’s Investor Bulletin on ICO’s, see HERE.

For a summary of SEC Chief Accountant Wesley R. Bricker’s statements on ICO’s and accounting implications, see HERE.

For an update on state distributed ledger technology and blockchain regulations, see HERE.

For a summary of the SEC and NASAA statements on ICO’s and updates on enforcement proceedings as of January 2018, see HERE.

To read about the SEC and CFTC joint statements and the Wall Street Journal op-ed article, see HERE.

Inquiries of a technical nature are always encouraged. Contact us now.

The SEC And CFTC Joint Statements On Cryptocurrencies; Global Regulators Join In

On January 19, 2018 and again on January 25, 2018, the SEC and CFTC divisions of enforcement issued joint statements regarding cryptocurrencies. The January 19 statement was short and to the point, reading in total:

“When market participants engage in fraud under the guise of offering digital instruments – whether characterized as virtual currencies, coins, tokens, or the like – the SEC and the CFTC will look beyond form, examine the substance of the activity and prosecute violations of the federal securities and commodities laws. The Divisions of Enforcement for the SEC and CFTC will continue to address violations and bring actions to stop and prevent fraud in the offer and sale of digital instruments.”

The January 25, 2018 statement was issued by SEC Chairman Jay Clayton and CFTC Chairman J. Christopher Giancarlo and was published as an op-ed piece in the Wall Street Journal.  In summarizing the statements, I add my usual commentary and facts and information on this fast-moving marketplace.

Distributed ledger technology, or DLT, is the advancement that underpins an array of new financial products, including cryptocurrencies and digital payment services. Clearly the regulators understand the technological disruption, pointing out that “[S]ome have even compared it [DLT] to productivity-driving innovations such as the steam engine and personal computer.”

The regulators are careful not to discourage the technological advancement or investments themselves but rather are concerned that only those that are sophisticated and can afford a loss, participate. Likewise, unfortunately with every boom comes fraudsters, and investors have to ask the right questions and perform the right due diligence.

Like the dot-com era, of the hundreds (or thousands) of companies popping up in this space, few will survive and investments in those that do not, will be lost. The message from the regulators remains consistent, cautioning investors about the high risks with investments in this new space and stating that “[T]he CFTC and SEC, along with other federal and state regulators and criminal authorities, will continue to work together to bring transparency and integrity to these markets and, importantly, to deter and prosecute fraud and abuse.”

While the initial cryptocurrencies, like bitcoin and ether, were likened to a payment alternative to fiat currencies like the dollar and euro, these alternative currencies are very different.  None are backed by a sovereign government, and they lack governance standards, accountability and oversight, reliable reporting of trading, or consistent reporting of price and other financial metrics.

Of course, this is an exciting era of development and Chairs Clayton and Giancarlo know that, stating:

“This is not a statement against investments in innovation. The willingness to pursue the commercialization of innovation is one of America’s great strengths. Together Americans embrace new technology and contribute resources to developing it. Through great human effort and competition, strong companies emerge. Some of the dot-com survivors are the among the world’s leading companies today. This longstanding, uniquely American characteristic is the envy of the world. Our regulatory efforts should embrace it.”

The SEC and CFTC are considering whether the historic approach to the regulation of currency transactions is appropriate for the cryptocurrency markets. Check cashing, payment processing and money transmission services are primarily state regulated. Many of the Internet-based cryptocurrency trading platforms have registered as payment services and are not subject to direct oversight by the SEC or the CFTC. For example, Coinbase has money transmitting licenses from the majority of states. Gemini is a licensed trust company with the New York State of Financial Services. Furthermore, the Bank Secrecy Act and its anti-money laundering (AML) requirements apply to those in the business of accepting and transmitting, selling or storing cryptocurrencies.

Not a single cyptocurrency trading platform is currently registered by the SEC or CFTC.  However, two CFTC regulated exchanges have now listed bitcoin futures products and, in doing so, engaged in lengthy conversations with the CFTC, ultimately agreeing to implement risk mitigation and oversight measures, heightened margin requirements, and added information sharing agreements with the underlying bitcoin trading platforms. In my next blog I will drill down on the CFTC’s regulatory role and position on cryptocurrencies including a discussion of its October 17, 2017 published article, “A CFTC Primer on Virtual Currencies.”

The SEC does not have jurisdiction over transactions involving currencies or commodities; however, where an offering of a cryptocurrency has characteristics of a securities offering, the SEC and state securities regulators have, and have exercised, jurisdiction. In addition to the many SEC enforcement proceedings I have written about, state regulators have likewise been very active in the enforcement arena against those offering cryptocurrency- or blockchain-related investments. The SEC is carefully monitoring the entire marketplace including issuers, broker-dealers, investment advisors and trading platforms.  On January 18, 2018, the SEC issued a no-action letter prohibiting the registration under the Investment Company Act of 1940 of U.S. investment funds that desire to invest substantially in cryptocurrency and related products. I will provide further details on this letter in an upcoming blog.

As the boom has continued, many cryptocurrencies are simply being marketed for their potential increase in value on secondary trading platforms, again none of which are licensed by the SEC or CFTC.  The utility side of the tokens (if any) has taken a back seat to the craze.  Although a few trading platforms are licensed by state regulators as payment processors, many overseas are not licensed by any regulator whatsoever.

As the SEC has been repeating, the op-ed piece again clearly states that “federal securities laws apply regardless of whether the offered security—a purposefully broad and flexible term—is labeled a  ‘coin’ or ‘utility token’ rather than a stock, bond or investment contract. Market participants, including lawyers, trading venues and financial services firms, should be aware that we are disturbed by many examples of form being elevated over substance, with form-based arguments depriving investors of mandatory protections.”

While attending the North American Bitcoin Conference in Miami a few weeks ago, I was amazed at the thousands of attendees and companies. I go to a lot of financial conferences and had never seen anything like this. I understand the concerns of the regulators and the need to issue constant warnings. While I met some extremely smart people and learned about great companies that could have hugely successful futures, many others were obviously trying to ride a boom, with nothing to offer. They lacked a strong management team, technological know-how, engineers and programmers, a real business, a real plan, or anything to support lasting value of the token issued in their ICO, or being touted for a future issuance. The sole opportunity for an investor was a potential increase in secondary trading value, which was being propped up with hundreds of thousands of dollars (raised in the ICO) of marketing, including crews of people paid to talk about the token on chat boards such as Telegram.

Like many practitioners, I am fascinated with the technology and disruption it will bring to many aspects of our lives including the arenas of corporate finance and trading markets, and have even invested.

International Organization of Securities Commissions Issues Warning on ICO’s

On January 18, 2018, the Board of the International Organization of Securities Commissions (“IOSCO”) issued a warning on ICO’s including the high risk associated with these speculative investments and concerns about fraud. The IOSCO is the leading international policy forum for securities regulators and is a recognized standard setter for securities regulation. The group’s members regulate more than 95% of the world’s securities markets in more than 115 jurisdictions.

The statement from IOSCO points out that ICO’s are not standardized and their legal and regulatory status depends on a facts and circumstances analysis. ICO’s are highly speculative and there is a chance that an entire investment will be lost. The warning continues:

“[W]hile some operators are providing legitimate investment opportunities to fund projects or businesses, the increased targeting of ICOs to retail investors through online distribution channels by parties often located outside an investor’s home jurisdiction — which may not be subject to regulation or may be operating illegally in violation of existing laws — raises investor protection concerns.”

The IOSCO has provided its members with information on approaches to ICO’s and related due diligence. The IOSCO has also established an ICO Consultation Network with its members to continue the discussion.

Further Reading on DLT/Blockchain and ICO’s

For an introduction on distributed ledger technology, including a summary of FINRA’s Report on Distributed Ledger Technology and Implication of Blockchain for the Securities Industry, see HERE.

For a discussion on the Section 21(a) Report on the DAO investigation, statements by the Divisions of Corporation Finance and Enforcement related to the investigative report and the SEC’s Investor Bulletin on ICO’s, see HERE.

For a summary of SEC Chief Accountant Wesley R. Bricker’s statements on ICO’s and accounting implications, see HERE.

For an update on state distributed ledger technology and blockchain regulations, see HERE.

For a summary of the SEC and NASAA statements on ICO’s and updates on enforcement proceedings as of January 2018, see HERE.

Inquiries of a technical nature are always encouraged. Contact us now.

SEC and NASAA Statements on ICOs and More Enforcement Proceedings

The message from the SEC is very clear: participants in initial coin offerings (ICO’s) and cryptocurrencies in general need to comply with the federal securities laws or they will be the subject of enforcement proceedings. This message spreads beyond companies and entities issuing cryptocurrencies, also including securities lawyers, accountants, consultants and secondary trading platforms. Moreover, the SEC is not the only watchdog. State securities regulators and the plaintiffs’ bar are both taking aim at the crypto marketplace. Several class actions have been filed recently against companies that have completed ICO’s.

After a period of silence, on July 25, 2017, the SEC issued a Section 21(a) Report on an investigation and related activities by the DAO, with concurrent statements by both the Divisions of Corporation Finance and Enforcement. On the same day, the SEC issued an Investor Bulletin related to ICO’s. For more on the Section 21(a) Report, statements and investor bulletin, see HERE. Since that time, the SEC has engaged in a steady flow of enforcement proceedings and statements on the subject.

The DAO report centered on a traditional analysis to determine whether a token is a security and thus whether an ICO is a securities offering. In particular, the nature of a digital asset (“coin” or “token”) must be examined to determine if it meets the definition of a security using established principles, including the Howey Test. See HERE for a discussion on the Howey Test. The report also pointed out that participants in ICO’s are subject to federal securities laws to the same extent they are in other securities offerings, including broker-dealer registration requirements, and that securities exchanges providing for trading must register unless an exemption applies.

On November 1, 2017, the SEC issued a warning to the public about the improper marketing of certain ICO’s, token offerings and investments, including promotions and endorsements by celebrities. Celebrities, like any other promoter, are subject to the provisions of Section 17(b) of the Securities Act, including the requirement to disclose the nature, scope, and amount of compensation received in exchange for the promotion. For more on Section 17(b) and securities promotion in general, see HERE.

On December 11, 2017, SEC Chairman Jay Clayton issued a statement on cryptocurrencies and initial coin offerings. In that statement, Clayton drilled down on the sudden rise of “non-security” ICO’s, now being referred to as “utility tokens,” clearly conveying the message that if a token has attributes of a security, it will be governed as a security. To make the message even clearer, also on December 11, 2017, the SEC halted the ICO by Munchee, Inc., disagreeing with Munchee’s statements and conclusions that its token was a “utility token” and not a security.

This was not the first ICO halt.  On December 4, 2017, the SEC halted the ICO by PlexCorps, including outright fraud with the claims of an unregistered offering. The SEC has also taken aim at companies that are in the crypto space in general, having halting the trading of The Crypto Company on December 19, 2017 after a 2,700% stock price increase. This was not the first trading halt, either. Others include American Security Resources Corp, halted on August 24, 2017; First Bitcoin Capital, halted on August 23, 2017; CIAO Group, halted on August 9, 2017; and Sunshine Capital on June 7, 2017.

More recently, on January 5, 2018, the SEC halted the trading of UBI Blockchain Internet, Ltd. citing questions regarding the accuracy of information in SEC filings and concerns about market activity, which was the epitome of an unexplained stock surge.

On August 28, 2017, the SEC issued an investor alert warning about public companies making ICO-related claims. The alert specifically mentioned the trading suspensions and warned that ICO claims could be a sign of a pump-and-dump scheme.

On January 4, 2018, Chair Clayton issued another statement, this time joined by Commissioners Kara Stein and Michael Piwowar, commenting on the North American Securities Administrators Association (NASAA) statement made the same day. The NASAA is a group comprised of state securities regulators, which, among other functions, acts as a communication arm for the individual state regulators on important marketplace topics.

Jay Clayton’s December 11, 2017 Statement

Jay Clayton begins his December 11, 2017 statement with an acknowledgement of the “tales of fortunes made and dreamed to be made,” which is a perfect description of ICO mania.  Keeping with the SEC theme under Clayton, he then addresses ICO considerations for Main Street investors. In addition to warning of fraud and misrepresentations, ICO’s and cryptocurrency trading is a national marketplace; invested funds may quickly move overseas. Furthermore, the SEC may not be able to gain jurisdiction or pursue bad actors or lost funds in other countries.

The fact is that as of today, no cryptocurrency offerings have been registered with the SEC.  Although Jay Clayton doesn’t talk about what registration will really mean for an ICO, I note that, since registration is the process of ferreting out disclosures, it will force an entity issuing an ICO to be clear about the usefulness of its token, if any, and the risk factors not only associated with its token, but the marketplace as a whole. My firm is currently working on registration statements as well as private offering documents for ICO’s and blockchain technology entities and the complexity of this new industry and technology, and uncertainty associated with legalities (including not only securities matters, but the implication of swap and commodity transactions, tax ramifications, intellectual property matters, etc.) is confounding to even the best and brightest.

The importance of the involvement and efforts by market professionals is not lost on the SEC.  In the beginning, many ICO’s, believing that this new investment vehicle was somehow not a security and therefore outside the parameters of the securities laws and SEC jurisdiction, forewent the advice of legal counsel and other professionals. Now that this belief has been rectified, in his statement, Jay Clayton reminds market professionals of their gatekeeping duties. Chair Clayton states, “[I] urge market professionals, including securities lawyers, accountants and consultants, to read closely the investigative report we released earlier this year (the “21(a) Report”) and review our subsequent enforcement actions.”

He continues: “[F]ollowing the issuance of the 21(a) Report, certain market professionals have attempted to highlight utility characteristics of their proposed initial coin offerings in an effort to claim that their proposed tokens or coins are not securities. Many of these assertions appear to elevate form over substance.  Merely calling a token a ‘utility’ token or structuring it to provide some utility does not prevent the token from being a security….. On this and other points where the application of expertise and judgment is expected, I believe that gatekeepers and others, including securities lawyers, accountants and consultants, need to focus on their responsibilities. I urge you to be guided by the principal motivation for our registration, offering process and disclosure requirements:  investor protection and, in particular, the protection of our Main Street investors.” The bold emphasis was from the SEC, not added by me.  The message could not be clearer.

Attorneys and other professionals are not the only groups that the SEC is taxing with gatekeeper responsibilities.  Jay Clayton adds: “[I] also caution market participants against promoting or touting the offer and sale of coins without first determining whether the securities laws apply to those actions. Selling securities generally requires a license, and experience shows that excessive touting in thinly traded and volatile markets can be an indicator of ‘scalping,’  ‘pump and dump’ and other manipulations and frauds.  Similarly, I also caution those who operate systems and platforms that effect or facilitate transactions in these products that they may be operating unregistered exchanges or broker-dealers that are in violation of the Securities Exchange Act of 1934.” Again, the bold emphasis is not mine.  Although Jay Clayton does not indicate so, I am unaware of any properly licensed secondary market or exchange for the trading of cryptocurrencies at this time.  TZero is properly licensed, but not up and functioning as of the date of this blog.

Jay Clayton’s statement is not all negative. He recognizes that ICO’s can be an effective method to raise capital and fund projects. He also recognizes that not all cryptocurrencies are securities. A specific example would be an in-app game with token purchases that can only be used to reach another level. However, Clayton points out that “[B]y and large, the structures of initial coin offerings that I have seen promoted involve the offer and sale of securities and directly implicate the securities registration requirements and other investor protection provisions of our federal securities laws.”

The Division of Enforcement has been instructed to vigorously police the ICO marketplace. Finally, the SEC encourages investors to conduct thorough due diligence before making an ICO investment. In that regard, he provides a list of basic questions that should be asked and considered before making any investment.

January 4, 2018 Statements by Chair Clayton and Commissioners Kara Stein and Michael Piwowar

On January 4, 2018, Chair Clayton, Commissioners Kara Stein and Michael Piwowar issued a statement commending the North American Securities Administrators Association’s (NASAA) own statement made the same day addressing concerns with ICO’s and cryptocurrencies. The NASAA is a group comprised of state securities regulators.

The SEC’s top brass specifically point out that cryptocurrencies are not, in fact, currencies in that they are not backed or regulated by sovereign governments and seem to be focused on a method of capital raising as opposed to mediums of exchange. Reiterating its other messaging, the SEC reminds the public that offerings and their participants must comply with the state and federal securities.

NASAA Statement on Cryptocurrencies and ICO’s

NASAA begins its statement with a consistent theme to the SEC, warning Main Street investors to be cautious about investments involving cryptocurrencies. NASAA, also like the SEC, encourages potential investors to conduct due diligence and ask questions before making an ICO (or any) investment.

NASAA includes a laundry list of risks and issues with ICO’s and crypto-related investments. NASAA points out that unlike FIAT or traditional currencies, cryptocurrencies have no physical form and typically are not backed by tangible assets (though I note that this is a void that is quickly being addressed by new tokens backed by physical assets and commodities).

Furthermore, cryptocurrencies are not insured, not controlled by a central bank or other governmental authority, are subject to very little if any regulation, and cannot be easily exchanged for other commodities. Cryptocurrencies are susceptible to breaches, hacking and other cybersecurity risks, including on both the ICO issuer side and the investor side through direct breaches into a wallet or other digital storage. ICO’s are a global investment vehicle and, as such, US regulators may have no ability to recover lost funds or pursue bad actors.  Likewise, private civil proceedings could prove futile.

Moreover, the high volatility and high risk of cryptocurrency investments make them unsuitable for most investors. In both its statement and a very simple investor-directed animated video on the subject, NASAA clearly states that investors could lose all of their money in a crypto-related investment.

Regulators almost unanimously believe that cryptocurrencies involve a high risk of fraud. NASAA includes a list of obvious red flags, including guaranteed high returns, unsolicited offers, sounds too good to be true, pressure to buy immediately, and unlicensed sellers.

NASAA now lists ICO’s and cryptocurrency-related investment products as an emerging investor threat for 2018.

Further Reading on DLT/Blockchain and ICO’s

For an introduction on distributed ledger technology, including a summary of FINRA’s Report on Distributed Ledger Technology and Implication of Blockchain for the Securities Industry, see HERE.

For a discussion on the Section 21(a) Report on the DAO investigation, statements by the Divisions of Corporation Finance and Enforcement related to the investigative report and the SEC’s Investor Bulletin on ICO’s, see HERE.

For a summary of SEC Chief Accountant Wesley R. Bricker’s statements on ICO’s and accounting implications, see HERE.

For an update on state distributed ledger technology and blockchain regulations, see HERE.

Inquiries of a technical nature are always encouraged. Contact us now.

State Distributed Ledger Technology and Blockchain Regulations

In a time of rapidly changing regulations and policies on all securities industry and corporate finance topics, and the development of distributed ledger technology (DLT or blockchain) and associated initial cryptocurrency offerings (ICO’s), I have never had so many topics in the queue to write about. With a once-a-week blog, I will just keep working through the list, reporting on all developments, some quicker than others.  In this blog, I am circling back to DLT with a synopsis of state law developments and the Uniform Law Commission’s (ULC) approved Uniform Regulation of Virtual Currency Business Act (Uniform VCBA).

Uniform Regulation of Virtual Currency Business Act (Uniform VCBA)

On July 19, 2017, the Uniform Law Commission (ULC) approved Uniform Regulation of Virtual Currency Business Act (Uniform VCBA) to be used as a model for states seeking to adopt such legislation. The VCBA is a money-transmitting or payment-processing-based legislation. The VCBA defines a money transmitter in an effort to provide clarity on what businesses are required to be licensed. The VCBA also provides an anti-money laundering (AML) framework that mirrors FinCEN requirements.

The VCBA focuses on control over the currency and transaction and requires licensing by any business that has the “power to execute unilaterally or prevent indefinitely a virtual currency transaction.” This definition is meant to distinguish virtual wallets that merely hold an individual’s virtual currency and process a transaction at the behest of such owner, without any additional powers.

Delaware

The Delaware Blockchain Initiative is the state’s program to welcome and encourage blockchain businesses and to establish regulatory clarity for their operations and the use of blockchain technology overall, including DLT.

The August 1, 2017 amendments to the Delaware General Corporation Law (DGCL) Section 219, 224 and 232 will allow Delaware private companies to use DLT to maintain shareholder records, including authorized, issued, transferred, and redeemed shares, on a DLT system. As of now, the amendments to the DGCL are limited to private companies; however, the state of Delaware is in talks with the SEC related to implementing the technology for public companies.

DGCL Sections 219 and 224 have been amended to permit corporations to rely on a DLT as a stock ledger itself, potentially eliminating a separate transfer agent for private companies. Section 219(c) defines a “stock ledger” to include “one or more records administered by or on behalf of the corporation.” Section 224 provides that any records “administered by or on behalf of the corporation” could include “one or more distributed electronic networks for databases.”

A ledger must also: (i) be convertible into clearly legible paper form within a reasonable time; (ii) be able to be used to prepare the list of stockholders specified in Sections 219 and 220 (related to stockholder demands to inspect corporate books and records); (iii) must be able to record information and maintain records for various statute sections related to shareholdings, including those related to consideration for partly paid shares, the transfer of shares for collateral, pledged shares and voting trusts; and (iv) be able to records transfers of shares in compliance with the Delaware Uniform Commercial Code.

Delaware is currently working in collaboration with a private company, Symbiont, to put together “smart securities,” which are allegedly impossible to counterfeit. The ledger could be maintained by either a closed or open group of participants.  The ledger and any transfers would be updated instantaneously, effectively allowing for T+0 settlement of trades.

Nevada

Preceding Delaware by a month, on June 5, 2017, Nevada’s governor signed Senate Bill 398 into law, confirming that blockchain records have legally binding status. Unlike Delaware, Nevada’s regulations do not amend its corporate statutes (i.e., Chapter 78, Nevada’s Private Corporation Law), but rather, similar to Arizona, amends Chapter 719, Nevada’s Uniform Electronic Transactions Act.

Nevada’s statute defines blockchain as an electronic record of transactions or other data which is: (i) uniformly ordered; (ii) redundantly maintained or processed by one or more computers or machines to guarantee the consistency or nonrepudiation of the recorded transactions or other data; and (iii) validated by the use of cryptography.

The Nevada statute prohibits local governments from imposing taxes or fees on the use of a blockchain; requiring a certificate, license or permit to use a blockchain; or imposing any other requirement related to the use of blockchain. Moreover, the Nevada statute provides “written” status to blockchain records.  In particular, “if a law requires a record to be in writing, submission of a blockchain which electronically contains the record satisfies the law.”

Arizona

Prior to both Nevada and Delaware, in March 2017 Arizona passed House Bill 2417 into law, confirming the legal status of blockchain records. Like Nevada, Arizona gives smart contracts and blockchain signatureslegal binding status. In addition, the Arizona statute confirms that a smart contract has legally binding status, as would any other legal form of contract. Also like Nevada, Arizona’s provision is an amendment to its electronic transactions statute and not its corporate governance provisions.

Arizona defines “blockchain technology” as “distributed ledger technology that uses a distributed decentralized, shared and replicated ledger, which may be public or private, permissioned or permissionless, or driven by tokenized crypto economics or tokenless. The data on the ledger is protected with cryptography, is immutable and auditable and provides an uncensored truth.”

Arizona defines a “smart contract” as “an event driven program, with state, that runs on a distributed decentralized, shared and replicated ledger and that can take custody over and instruct transfer of assets on that ledger.”

Vermont

Vermont defines “blockchain technology” as “a mathematically secured, chronological and decentralized consensus ledger or database, whether maintained via Internet interaction, peer-to-peer network, or otherwise.” The Vermont statute confirms that blockchain records will be considered regular business records and makes blockchain records admissible as evidence under the Vermont rules of evidence.

Miscellaneous Virtual Currency Provisions

Multiple states, including Connecticut, New York, Oregon and Tennessee, have enacted legislations defining virtual currency and requiring money transmitters or payment processors which exchange virtual currency for U.S. dollars, to be licensed. The New York statute (the BitLicense Regulation) has received a lot of pushback, with many claiming it is vague or overly difficult to comply with, causing many in the business to avoid New York jurisdiction.

Further Reading on DLT/Blockchain and ICO’s

For an introduction on distributed ledger technology, including a summary of FINRA’s Report on Distributed Ledger Technology and Implication of Blockchain for the Securities Industry, see HERE.

For a summary on a report on an investigation related to the DAO’s ICO, statements by the Divisions of Corporation Finance and Enforcement related to the investigative report and the SEC’s Investor Bulletin on ICO’s, see HERE.

For a summary of SEC Chief Accountant Wesley R. Bricker’s statements on ICO’s and accounting implications, see HERE.

Inquiries of a technical nature are always encouraged. Contact us now.

SEC Statements On Cybersecurity – Part 2

On September 20, 2017, SEC Chair Jay Clayton issued a statement on cybersecurity that included the astonishing revelation that the SEC Edgar system had been hacked in 2016. Since the original statement, the SEC has confirmed that personal information on at least two individuals was obtained in the incident. Following Jay Clayton’s initial statement, on September 25, 2017, the SEC announced two new cyber-based enforcement initiatives targeting the protection of retail investors, including protection related to distributed ledger technology (DLT) and initial coin or cryptocurrency offerings (ICO’s).

The issue of cybersecurity is at the forefront for the SEC, and Jay Clayton is asking the House Committee on Financial Services to increase the SEC’s budget by $100 million to enhance the SEC’s cybersecurity efforts.

This is the second in a two-part blog series summarizing Jay Clayton’s statement, the SEC EDGAR hackingand the new initiatives. Part I of this blog, which outlined Chair Clayton’s statement on cybersecurity and the EDGAR hacking, can be read HERE . This second part in the series discusses the new cyber-based enforcement initiatives.

Previously I issued a blog outlining SEC guidance on the disclosure of cybersecurity matters, which can be read HERE.

Enforcement Initiatives

The SEC has established two new cybersecurity-related enforcement initiatives to address cyber-based threats and protect retail investors. The first is a creation of a Cyber Unit that will focus on targeting cyber-related misconduct. The second is the formation of a retail strategy task force that will focus on issues that directly affect retail investors.

Cyber Unit

The Cyber Unit will focus on:

  • Market manipulation schemes involving false information spread through electronic and social media
  • Hacking to obtain material nonpublic information in order to trade in advance of some announcement or event, or to manipulate the market for a particular security or group of securities
  • Violations involving distributed ledger technology (blockchain) and initial coin offerings (ICO’s)
  • Misconduct perpetrated using the dark web
  • Intrusions into retail brokerage accounts to conduct manipulative trading
  • Cyber-related threats to trading platforms and other critical market infrastructure

Chair Clayton formed the group with the goal of creating a cybersecurity working group to coordinate information sharing, risk monitoring, and incident response efforts throughout the agency. The Enforcement Division of the SEC has had to fast-track its expertise on matters related to cybersecurity including the advanced technologies that can be utilized.  It is thought that this focused enforcement initiative will further the SEC’s abilities to detect, respond to, and pursue misconduct.

On October 26, 2017, Stephanie Avakian, Co-Director of the Division of Enforcement gave a speech where she addressed both initiatives.   She addressed the obvious need for the Cyber Unit in today’s world of ever increasing cyber-related misconduct affecting the securities markets.

Expanding on the SEC’s list of areas of attention, Ms. Avakian indicates that the Cyber-Unit will also focus on cases involving failures by registered entities to take appropriate steps to safeguard information or ensure system integrity. The Cyber-Unit will work closely with the Office of Compliance, Inspections and Examinations (OCIE) in this area.

Further, the Cyber-Unit will review cases involving the failure by publicly reporting entities to properly report and disclose cyber related issues. The SEC has not yet brought a case in this space, but is expected to do so. The SEC expects companies’ to report cyber issues in risk factors and management discussion and analysis where appropriate and believes that the failure to do so could rise to a fraud issue under Rule 10b-5.

Retail Strategy Task Force

The Retail Strategy Task Force is planning to develop targeted initiatives to identify and pursue misconduct impacting retail investors.  The retail investor arena is a broad playing field including everything from the sales of unsuitable structured products to micro-cap pump-and-dump schemes. The Task Force will rely heavily on technology and analytics to identify problems. The Task Force includes enforcement personnel from around the country.

In her October 26, 2017 speech, Enforcement Co-Director, Stephanie Avakian stated, “this group will look at the many ways that retail investors intersect with the securities markets and look for widespread misconduct.” In a time of tight budgets, the SEC is focused on thinking strategically to identify problems and find the most efficient way to pursue enforcement actions including, as mentioned, with technology. Data analytics can be used to identify data by groups such as by product, by investor type, by location, by sales or trading practice, or by fee.  The SEC is even figuring out ways to use technology and data analytics to analyze the more than 16,000 tips it receives each year and integrate that data with other data points to identify issues.

Ms. Avakian gave specific examples of areas that the Retail Strategy Task Force will examine beyond the obvious Ponzi schemes and offering fraud, including:

  • Investment professionals steering customers to mutual fund share classes with higher fees, when lower-fee share classes of the same fund are available.
  • Abuses in wrap-fee accounts, including failing to disclose the additional costs of “trading away” or trading through unaffiliated brokers, and purchasing alternative products that generate additional fees.
  • Investors buying and holding products like inverse exchange-traded funds (ETFs) for long-term investment. These can be highly volatile products that are generally intended as a hedge against exposure to downward moving markets, and that face a long-term high risk of losing their principal. The SEC is increasingly seeing retail investors holding these products long-term, including in retirement accounts.
  • Problems in the sale of structured products to retail investors, including a failure to fully and clearly disclose fees, mark-ups, and other factors that can negatively impact returns; and
  • Abusive practices like churning and excessive trading that generate large commissions at the expense of the investor.

In addition to enforcement, the Retail Strategy Task Force will have an investor outreach and education component. In that regard, we can expect to see Investor Bulletins and other SEC investor communications generated from the Task Force’s findings and efforts.

SEC Statements On Cybersecurity; An EDGAR Hacking

On September 20, 2017, SEC Chair Jay Clayton issued a statement on cybersecurity that included the astonishing revelation that the SEC Edgar system had been hacked in 2016. Since the original statement, the SEC has confirmed that personal information on at least two individuals was obtained in the incident. Following Jay Clayton’s initial statement, on September 25, 2017, the SEC announced two new cyber-based enforcement initiatives targeting the protection of retail investors, including protection related to distributed ledger technology (DLT) and initial coin or cryptocurrency offerings (ICO’s).

The issue of cybersecurity is at the forefront for the SEC, and Jay Clayton is asking the House Committee on Financial Services to increase the SEC’s budget by $100 million to enhance the SEC’s cybersecurity efforts.

This is the first in a two-part blog series summarizing Jay Clayton’s statement, the SEC EDGAR hacking and the new initiatives. My prior blog outlining SEC guidance on the disclosure of cybersecurity matters can be read HERE.

Chair Clayton’s Statement on Cybersecurity and the EDGAR Hacking

Upon taking office in May, 2017, Chair Clayton formed a senior-level cybersecurity working group to coordinate the sharing of information, risk monitoring and incident response efforts. Chair Clayton’s September 20, 2017 statement was part of the SEC’s ongoing initiatives and necessary to inform the public of the SEC’s own hacking incident. In addition to the revelation regarding the EDGAR hacking, Chair Jay Clayton’s statement emphasized the importance of cybersecurity to not only the SEC, but all market participants.

All market participants engage in data collection, storage, analysis, availability and protection to some extent, all of which are open to cybersecurity risks. Cyber attacks can be perpetrated by identity thieves, unscrupulous contractors and vendors, malicious employees, business competitors, prospective insider traders and market manipulators, hackers, terrorists, state-sponsored actors and others.  Furthermore, the effects of attacks can be significant, including loss or exposure of consumer data, theft or exposure of intellectual property, investor losses resulting from the theft of funds, market value declines in companies’ subject to cyber attacks, and regulatory, reputational and litigation risks.

Cybersecurity efforts must include, in addition to assessment, prevention and mitigation, resilience and recovery. Chair Clayton’s statement provides detail on the SEC’s approach to cybersecurity, including: (i) the types of data they collect, hold and make publicly available; (ii) how the SEC manages cybersecurity risks and responds to cyber events; (iii) how the SEC incorporates cybersecurity considerations in their risk-based supervision of entities they regulate; (iv) how the SEC coordinates with other regulators to identify and mitigate cybersecurity risks; and (v) how the SEC uses its oversight and enforcement authorities, including to pursue cyber threats.

EDGAR Hacking

Before summarizing the other components of Chair Clayton’s statement, I will jump right to the topic that has gained national attention: EDGAR was hacked!  Sometime in 2016, a software vulnerability in the test filing component of the EDGAR system was hacked. The opening was patched once discovered, but the hackers were able to obtain information through test filings that was used to make illicit trading gains. The hackers also obtained personal information, including names, dates of birth and Social Security numbers of at least two individuals. Chair Clayton was not informed of the hacking until August 2017.

The test filing system of EDGAR allows a company to make a non-public test filing of a registration statement or report (or any document that can be filed through the EDGAR system) to be sure the actual filing will be processed correctly. The test filing is usually made hours before the actual filing, but it can be made a day in advance. By having access to material information in filings prior to the marketplace, the hackers could trade on such information and make illegal profits.

When the SEC first announced the hacking on September 20, 2017, it stated that no personal information had been compromised but in a second press release issued on October 2, 2017, the SEC confirmed that forensic data analysis uncovered further depths to the intrusion.  In the October 2 press release, Chair Clayton outlined efforts to review and remediate the 2016 hacking, including:

  • A review of the 2016 EDGAR intrusion by the Office of Inspector General;
  • An investigation by the Division of Enforcement in the potential illicit trading resulting from the 2016 EDGAR intrusion (which seems to indicate that the perpetrator has been uncovered). Chair Clayton was first informed of the hacking in connection with this enforcement investigation;
  • A focused review and appropriate uplift of the EDGAR system with a concentration on cybersecurity matters, including its security systems, processes and controls. This review will include assessing the types of data that run through the EDGAR system and whether EDGAR is the appropriate mechanism to funnel such data;
  • A focused review and appropriate uplift of all systems that include the identification of sensitive data or personally identifiable information. This review will include assessing the types of data the SEC keeps and the related security systems, processes and control; and
  • The SEC’s internal review of the 2016 EDGAR hacking to determine, among other things, the procedures followed in response to the intrusion. This review is being overseen by the Office of the General Counsel and includes an interdisciplinary investigative team including outside technology consultants.  Related to this, the SEC will enhance protocols for cybersecurity incidents.

In furtherance of this review and plan, Chair Clayton authorized the immediate hiring of additional staff and outside technology consultants to protect the security of the SEC’s network, systems and data.

Based on the SEC’s statements and testimony on the matter, there still remains a lot of secrecy surrounding the incident. For instance, the date or dates of the hacking have not been made public. The hacking was reported to the Department of Homeland Security, but the SEC commissioners were not notified. Moreover, the SEC has not revealed the type of information that was accessed nor which companies were affected.

Collection and Use of Data by the SEC

The SEC collects, stores and transmits data in three broad categories, including: (i) public facing data through the EDGAR system; (ii) non-public information including personally identifiable information related to supervisory and enforcement functions; and (iii) non-public information including personally identifiable information related to the SEC’s internal operations.

The first category involves data provided to the SEC by companies (such as public reports under the Exchange Act, and notices of private offerings on Form D) and investors (such as Section 13 and Section 16 filings). The second category includes data on companies, broker-dealers, investment advisors, investment companies, self-regulatory organizations (including FINRA), alternative trading systems, clearing agencies, credit rating agencies, municipal advisors and other market participants. The third category of data includes personnel records, internal investigations and data related to risk management and internal control processes.

Management of Internal Cybersecurity Risks

Notably, Chair Clayton begins this part of his statement by disclosing that the SEC is “the subject of frequent attempts by unauthorized actors to disrupt access to our public-facing systems, access our data, or otherwise cause damage to our technology infrastructure, including through the use of phishing, malware and other attack vectors.” As did occur with the EDGAR hacking, attackers stand to profit from information through trading activities, identity theft and a myriad of other improper uses of the illegally obtained information.

In addition to outside attacks, the SEC monitors for unauthorized actions by personnel.  In 2014, an internal review uncovered that certain laptops with sensitive information could not be located. There have also been instances where SEC personnel have used non-secure personal email accounts to transmit nonpublic information. The SEC mitigates the internal risk by requiring all personnel to complete privacy and security training.

To protect against all of its cyber-related threats, the SEC employs an agency-wide cybersecurity detection, protection and prevention program. The program includes cybersecurity protocols and controls, network protections, system monitoring and detection processes, vendor risk management processes, and regular cybersecurity and privacy training for employees. However, in light of current and changing technological advancements, the SEC intends to step up its efforts overall. As mentioned earlier, in that regard, the SEC is seeking an increase in its annual budget, and a lift on its current hiring limitations.

Just as the SEC expects public companies to maintain internal controls, including from the top down, on cybersecurity matters, so the SEC has internal policies and procedures requiring senior management to maintain policies, and to coordinate with other offices and divisions with respect to cybersecurity efforts, including risk reporting and testing.

Although all offices have responsibilities, the SEC Office of Information Technology has overall management and responsibility for the agency’s cybersecurity. The SEC’s cybersecurity program is subject to review from internal and external independent auditors, including to ensure compliance with the Federal Information Security Modernization Act of 2014 (“FISMA”).

The SEC also must report cybersecurity matters to outside agencies, including the Office of Management and Budget and the Department of Homeland Security, and has established information-sharing relationships with the National Cybersecurity and Communications Integration Center (“NCCIC”), the Financial and Banking Information Infrastructure Committee (“FBIIC”), and the Financial Services Information Sharing and Analysis Center (“FS-ISAC”).

Incorporation of Cybersecurity Considerations in the SEC’s Disclosure-Based and Supervisory Efforts

The SEC incorporates cybersecurity considerations in its disclosure and supervisory programs, including in the context of the Commission’s review of public company disclosures, its oversight of critical market technology infrastructure, and its oversight of other regulated entities, including broker-dealers, investment advisors and investment companies. Related to public company disclosures, Chair Clayton referred to the SEC guidance summarized HERE.

Related to the SEC’s oversight of market infrastructure, including regulation of exchanges and clearing agencies, the SEC adopted Regulation Systems Compliance and Integrity in 2014. Regulation SCI was proposed and adopted to require key market participants to have comprehensive written policies and procedures to ensure the security and resilience of their technological systems, to ensure systems operate in compliance with federal securities laws, to provide for review and testing of such systems and to provide for notices and reports to the SEC. Key market participants generally include national securities exchanges and associations, significant alternative trading systems (such as OTC Markets, which has confirmed it is in compliance with the Regulation), clearing agencies, and plan processors. For a review of Regulation SCI, see HERE.

Furthermore, certain SEC rules and regulations governing broker-dealers, investment advisors and investment companies directly implicate information security practices. For example, Regulation S-P requires registered broker-dealers, investment companies and investment advisors to adopt written policies and procedures governing safeguards for the protection of customer information and records. Regulation S-ID requires these firms, to the extent they maintain certain types of covered accounts, to establish programs addressing how to identify, detect and respond to potential identity theft red flags.

Coordination with Other Governmental Entities

Effective cybersecurity programs require cooperation among government agencies. The SEC shares oversight responsibility on some matters with other agencies, including the Board of Governors of the Federal Reserve System, the Commodity Futures Trading Commission, the Office of the Comptroller of the Currency and the Federal Deposit Insurance Corporation. Furthermore, the SEC often coordinates with other agencies, such as the Federal Trade Commission and the Consumer Financial Protection Bureau. The SEC coordinates cybersecurity efforts with each of these agencies, and more.

Enforcement of the Federal Securities Laws

The SEC is committed to enforcing compliance with the cybersecurity disclosure obligations of reporting companies, and in enforcement proceedings against those that purse cyber threats. Part of these efforts include using advanced technology to monitor suspicious trading activity across companies, traders and geographic regions.

Chair Clayton sets out examples of enforcement actions, such as a case in 2016 against three traders for allegedly participating in a scheme to hack into two prominent New York-based law firms to steal information pertaining to clients that were considering mergers or acquisitions, which the hackers then used to trade. In another case, defendants allegedly hacked into newswire services to obtain non-public information about corporate earnings announcements. These are just two examples among dozens of cases.

Inquiries of a technical nature are always encouraged. Contact us now.

SEC Chief Accountant Speaks On Initial Coin Offerings (ICO’s)

On September 11, 2017, the SEC Chief Accountant, Wesley R. Bricker, gave a speech before the AICPA National Conference on Banks & Savings Institutions. The bulk of the speech was similar to Mr. Bricker’s June 2017 speech before the 36th Annual SEC and Financial Reporting Institute Conference, summarized HERE. However, one topic that was new, and interesting enough to spark this blog, was related to initial coin offerings (ICO’s). Note that offers and sales of digital coinscryptocurrencies or tokens using distributed ledger technology (DLT) or blockchain have become widely known as ICO’s.

As the capital markets become more and more focused on all things blockchain, including ICO’s, secondary token trading, and disruptive changes made possible by distributed ledger technology (DLT), which is inevitably transforming capital market processes, the SEC is fronting a wave of questions and concerns on the subject. On July 25, 2017, the SEC issued a report on an investigation related to an ICO by the DAO and statements by the Divisions of Corporation Finance and Enforcement related to the investigative report. On the same day, the SEC issued an Investor Bulletin related to ICO’s. (See summary of the report, statement and investor bulletin HERE).

Almost all divisions and committees of the SEC are and will be impacted by DLT and ICO’s and are working diligently to address the technology and the public markets’ wave of interest. In August 2017 the SEC suspended the trading in a slew of bitcoin-based companies questioning the accuracy of publicly reported information and press releases. On September 20, 2017, the SEC’s Investor Advisory Committee announced the agenda for its next meeting to be held on October 12, the first item on which is blockchain and other distributed ledger technology and its implications for securities markets.

FINRA is likewise as attentive to DLT and its far-reaching implications.  On July 13, 2017, FINRA held a Blockchain Symposium including participation by the Office of the Comptroller of Currency, the US Commodity Futures Trading Commission (CFTC), the Federal Reserve Board and the SEC. Earlier in the year, FINRA published a report on the technology and its potential impacts on broker-dealers and the markets in general. See HERE for a summary.

Although outside of my practice area, the Internal Revenue Service is stepping up efforts to make sure taxes are reported and paid for trading profits and other taxable income related to cryptocurrencies. In that regard, the IRS has contracted with a company that provides software that analyzes and tracks bitcoin transactions.

Mr. Bricker’s Remarks on ICO’s

Mr. Bricker begins by talking about the SEC report on the DAO investigation, stating that “[T]he report makes clear that the federal securities laws apply to those who offer and sell securities in the U.S., regardless of whether the issuing entity is a traditional company or a decentralized autonomous organization, whether those securities are purchased using U.S. dollars or virtual currencies, or whether they are distributed in certificated form or through distributed ledger technology.”

All offers and sales of securities in the U.S. must either be registered with the SEC or must qualify for an exemption. The SEC’s registration requirements include the filing of audited financial statements. In addition, I note that many exemptions likewise require the disclosure of either audited or unaudited financial statements. Furthermore, the basic antifraud principles encompassed in Rule 10b-5 of the Securities Exchange Act of 1934 and Section 17(a) of the Securities Act of 1933, require full and fair disclosure, which includes financial information about the issuer.

Mr. Bricker confirms the basics that U.S. accounting principles apply to ICO’s as they do with any other offerings. Issuing companies should review guidance related to the presentation and disclosure of financial statements, consolidation, translation, assets, liabilities, revenue, expenses and ownership.

Mr. Bricker lists questions that both issuers and holders should consider:

Issuers:

What are the necessary financial statement filing requirements?

Are there liabilities requiring recognition or disclosure?

Are there previously recognized assets that require de-recognition?

Are there revenues or expenses requiring recognition or deferral?

Is there a transaction with owners, resulting in debt or equity classification and possibly compensation expense?

Are there implications for the provision for income taxes?

Holders:

Does specialized accounting guidance (such as for investment companies) apply to the holder’s financial statement presentation?

What are the characteristics of the coin or token in considering whether, how, and at what value the transaction should affect the holder’s financial statements?

What is the nature of the holder’s involvement in considering whether the issuer’s activities should be consolidated or accounted for under the equity method?

A new wave of ICO’s

Since the SEC issued its report on the DAO, my office has been actively involved with clients and potential clients interested in structuring ICO’s which comply with the federal (and state) securities laws. Although I have yet to see a registered ICO, several are now utilizing 506(b) or 506(c) to complete their offerings. For instance, the recent $285 million Filecoin ICO was completed in reliance on Rule 506(c) and included such institutional investors as Sequoia Capital, Andreessen Horowitz and Union Square Ventures. Other similar offerings have been and continue to be launched on platforms such as CoinList (which is partnered with AngelList) and now more traditional securities offering platforms such as Start Engine. I am certain the number of securities ICO’s relying on traditional securities offering registration or exemption rules and regulations will continue to increase dramatically.

Inquiries of a technical nature are always encouraged. Contact us now.