Blockchain Technology | Anthony L.G., PLLC

What is a SAFT?

Posted on April 24, 2018 by Laura Anthony, Esq.

A Simple Agreement for Future Tokens (“SAFT”) is an investment contract originally designed to provide a compliant alternative to an initial coin offering (ICO). A SAFT as used today was intended to satisfy the U.S. federal securities laws, money services and tax laws and act as an alternative to an ICO when the platform and other utilization for the cryptocurrency or token was not yet completed. The form of the SAFT is the result of a joint effort between the Cooley law firm and Protocol Lab as detailed in the white paper released on October 2, 2017 entitled “The SAFT Project: Toward a Compliant Token Sale Framework.” As discussed in this blog, the SAFT’s compliance with federal securities laws has now come into question by both the SEC and practitioners.

SAFT’s are offered and sold to accredited investors as an investment to fund the development of a business or project in a way not dissimilar to the way equity changes hands in traditional venture capital. A SAFT was developed from the oft-used simple agreement for future equity (SAFE) contract in the venture capital setting. In a SAFT sale, no coins are ever offered, sold or exchanged. Rather, money is exchanged for traditional paper documents that promise access to future product. Fundamentally, a SAFT has been relying on the premise that the future product is not in and of itself a security.

Although the SEC had been looking at ICO’s for a while, on July 25, 2017 it issued a Section 21(a) Report on an investigation related to an initial coin offering (ICO) by the DAO concluding that the ICO was a securities offering. The Section 21(a) Report established that the Howey Test is the appropriate standard for determining whether a particular token involves an investment contract and the application of the federal securities laws. SEC Chair Jay Clayton has confirmed this standard in several public statements and in testimony before the United States Senate Committee on Banking Housing and Urban Affairs (“Banking Committee”). For a review of the Howey Test, see HERE.

Following the Section 21(a) Report, in a slew of enforcement proceedings by both the SEC and state securities regulators, and in numerous public statements, it is clear that regulators have viewed most, if not all, ICO’s as involving the sale of securities. At the same time, the SAFT grew in popularity as an attempt to comply with the securities laws. The SEC’s position is based on an analysis of the current market for ICO’s and the issuance of “coins” or “tokens” for capital raising transactions and as speculative investment contracts.

SAFT users rely on the premise that a cryptocurrency which today may be an investment contract (security) can morph into a commodity (currency) or other type of digital asset. The SAFT would delay the issuance of the cryptocurrency until it has reached its future utility. Investors in a SAFT automatically receive the cryptocurrency when it is publicly distributed in an ICO. The SAFT investors generally receive the crypto at a discount to the public offering price. However, this premise is taking a direct hit lately. Although I’ll lay out more on the SAFT history and why it was thought of as a solution further in this blog, I’ll jump right to the current analysis, and why a SAFT might not provide the intended protections.

The SAFT Problem

Although everyone, including regulators, agree that the state of the law in the area of cryptocurrencies and tokens is unsettled, regulators, including both the CFTC and SEC, have increasingly taken positions that would bring cryptocurrencies within their jurisdiction. I believe regulators are reacting to overarching fraud and therefore a necessity to take action to protect investors. Without congressional rule making and definitive guidance, regulators have no choice but to make the current law fit the circumstances. In some cases that works fine, but in others it does not and I suspect continuing changes in interpretations, enforcement premises and ultimately rule making will occur.

As I’ve previously discussed, the CFTC first found that Bitcoin and other virtual currencies were properly defined as commodities in 2015. Accordingly, the CFTC has regulatory oversight over futures, options, and derivatives contracts on virtual currencies and has oversight to pursue claims of fraud or manipulation involving a virtual currency traded in interstate commerce. Beyond instances of fraud or manipulation, the CFTC generally does not oversee “spot” or cash market exchanges and transactions involving virtual currencies that do not utilize margin, leverage or financing. Rather, these “exchanges” are regulated as payment processors or money transmitters under state law. See HERE.

The SEC has also taken the stance that ICO’s involve the sale of securities, and that exchanges providing for the after-market trading of cryptocurrencies must register unless an exemption applies. The SEC is now taking it one step further, postulating that the tokens or cryptocurrencies underlying the SAFT could also be a security (and when I say “could” I mean “are”), in which case the SAFT structure is nothing more than a convertible security and fails to comply with the federal securities laws and makes it even more likely that it would result in an enforcement proceeding, or private litigation.

A SAFT is a type of pre-ICO investment with the investors automatically receiving the crypto when the company completes its public ICO. If the underlying token is a security, then the future ICO fails to comply with the federal securities laws and the original SAFT also fails to comply.

Getting ahead of this issue, many companies have structured a SAFT such that the future ICO is also labeled a security, and the SAFT investor will receive the crypto when the future ICO is registered with the SEC. However, this results in a private pre-public security sale, which in and of itself is prohibited by the securities laws.

In particular, Securities Act CD&I 139.01 provides:

Question: Where the offer and sale of convertible securities or warrants are being registered under the Securities Act, and such securities are convertible or exercisable within one year, must the underlying securities be registered at that time?

Answer: Yes. Because the securities are convertible or exercisable within one year, an offering of both the overlying security and underlying security is deemed to be taking place. If such securities are not convertible or exercisable within one year, the issuer may choose not to register the underlying securities at the time of registering the convertible securities or warrants. However, the underlying securities must be registered no later than the date such securities become convertible or exercisable by their terms, if no exemption for such conversion or exercise is available. Where securities are convertible only at the option of the issuer, the underlying securities must be registered at the time the offer and sale of the convertible securities are registered since the entire investment decision that investors will be making is at the time of purchasing the convertible securities. The security holder, by purchasing a convertible security that is convertible only at the option of the issuer, is in effect also deciding to accept the underlying security. [Aug. 14, 2009] (emphasis added)

In a Crowdfund Insider article published March 26, 2018, one practitioner (Anthony Zeoli) has had discussions with the SEC on the subject. As reported in the article, the SEC has stated that if the SAFT investor will automatically receive tokens in the future when and if the tokens are registered, without any further action on the part of the investor, then the tokens must be registered as of the date of the SAFT investment.

Of course, the future ICO or token offering could be completed in a private offering in compliance with the federal securities laws, such as using Rule 506(c) and limiting all sales to accredited investors (see HERE on Rule 506(c)). However, assuming the token or coin really is designed to create a decentralized community or to have utility value that can be widely used by the public, limiting sales to accredited investors does not meet the needs of the issuers. Moreover, even if the future offering is structured as a private securities offering, the SAFT sale disclosure documents would need to include full disclosure on the future coin or token such that the investor could make an informed investment decision at the time of the SAFT investment.

In the same article, Zeoli delves into a more nuanced issue, which is the rising difference in the meaning of a “coin” vs a “token.” A SAFT is a simple agreement for future “tokens” but is being used to pre-sell initial “coin” offerings. If a coin and a token are two very different things (as Zeoli suggests—think stock vs. LLC interest), then the underlying contract has systemic problems beyond the registration and exemption provisions of the federal securities laws and may be a misrepresentation resulting in fraud claims.

More On SAFT; Background

As mentioned, the current form of a SAFT was created by a joint effort between the Cooley law firm and Protocol Lab as detailed in the white paper released on October 2, 2017 entitled “The SAFT Project: Toward a Compliant Token Sale Framework.” The SAFT was intended to comply with the federal securities, money transmittal and tax laws. Also, as discussed, the SAFT relies on the premise that a cryptocurrency which today may be an investment contract (security) will tomorrow be a non-security digital asset satisfying the Howey Test. The SAFT would delay the issuance of the cryptocurrency until it has reached its future utility.

The original SAFT white paper states:

The SAFT is an investment contract. A SAFT transaction contemplates an initial sale of a SAFT by developers to accredited investors. The SAFT obligates investors to immediately fund the developers. In exchange, the developers use the funds to develop genuinely functional network, with genuinely functional utility tokens, and then deliver those tokens to the investors once functional. The investors may then resell the tokens to the public, presumably for a profit, and so may the developers.

The SAFT is a security. It demands compliance with the securities laws. The resulting tokens, however, are already functional, and need not be securities under the Howey test. They are consumptive products and, as such, demand compliance with state and federal consumer protection laws.

Despite its good intentions, as of today, the model SAFT no longer works.

Further Reading on DLT/Blockchain and ICO’s

For an introduction on distributed ledger technology, including a summary of FINRA’s Report on Distributed Ledger Technology and Implication of Blockchain for the Securities Industry, see HERE.

For a discussion on the Section 21(a) Report on the DAO investigation, statements by the Divisions of Corporation Finance and Enforcement related to the investigative report and the SEC’s Investor Bulletin on ICO’s, see HERE.

For a summary of SEC Chief Accountant Wesley R. Bricker’s statements on ICO’s and accounting implications, see HERE.

For an update on state distributed ledger technology and blockchain regulations, see HERE.

For a summary of the SEC and NASAA statements on ICO’s and updates on enforcement proceedings as of January 2018, see HERE.

For a summary of the SEC and CFTC joint statements on cryptocurrencies, including The Wall Street Journal op-ed article and information on the International Organization of Securities Commissions statement and warning on ICO’s, see HERE.

For a review of the CFTC role and position on cryptocurrencies, see HERE.

For a summary of the SEC and CFTC testimony to the United States Senate Committee on Banking Housing and Urban Affairs hearing on “Virtual Currencies: The Oversight Role of the U.S. Securities and Exchange Commission and the U.S. Commodity Futures Trading Commission,” see HERE.

The Author

Laura Anthony, Esq.
Founding Partner
Legal & Compliance, LLC
Corporate, Securities and Going Public Attorneys
330 Clematis Street, Suite 217
West Palm Beach, FL 33401
Phone: 800-341-2684 – 561-514-0936
Fax: 561-514-0832
LAnthony@LegalAndCompliance.com
www.LegalAndCompliance.com
www.LawCast.com

Securities attorney Laura Anthony and her experienced legal team provides ongoing corporate counsel to small and mid-size private companies, OTC and exchange traded issuers as well as private companies going public on the NASDAQ, NYSE MKT or over-the-counter market, such as the OTCQB and OTCQX. For nearly two decades Legal & Compliance, LLC has served clients providing fast, personalized, cutting-edge legal service. The firm’s reputation and relationships provide invaluable resources to clients including introductions to investment bankers, broker dealers, institutional investors and other strategic alliances. The firm’s focus includes, but is not limited to, compliance with the Securities Act of 1933 offer sale and registration requirements, including private placement transactions under Regulation D and Regulation S and PIPE Transactions as well as registration statements on Forms S-1, S-8 and S-4; compliance with the reporting requirements of the Securities Exchange Act of 1934, including registration on Form 10, reporting on Forms 10-Q, 10-K and 8-K, and 14C Information and 14A Proxy Statements; Regulation A/A+ offerings; all forms of going public transactions; mergers and acquisitions including both reverse mergers and forward mergers, ; applications to and compliance with the corporate governance requirements of securities exchanges including NASDAQ and NYSE MKT; crowdfunding; corporate; and general contract and business transactions. Moreover, Ms. Anthony and her firm represents both target and acquiring companies in reverse mergers and forward mergers, including the preparation of transaction documents such as merger agreements, share exchange agreements, stock purchase agreements, asset purchase agreements and reorganization agreements. Ms. Anthony’s legal team prepares the necessary documentation and assists in completing the requirements of federal and state securities laws and SROs such as FINRA and DTC for 15c2-11 applications, corporate name changes, reverse and forward splits and changes of domicile. Ms. Anthony is also the author of SecuritiesLawBlog.com, the OTC Market’s top source for industry news, and the producer and host of LawCast.com, the securities law network. In addition to many other major metropolitan areas, the firm currently represents clients in New York, Las Vegas, Los Angeles, Miami, Boca Raton, West Palm Beach, Atlanta, Phoenix, Scottsdale, Charlotte, Cincinnati, Cleveland, Washington, D.C., Denver, Tampa, Detroit and Dallas.

Contact Legal & Compliance LLC. Technical inquiries are always encouraged.

Follow me on Facebook, LinkedIn, YouTube, Google+, Pinterest and Twitter.

Legal & Compliance, LLC makes this general information available for educational purposes only. The information is general in nature and does not constitute legal advice. Furthermore, the use of this information, and the sending or receipt of this information, does not create or constitute an attorney-client relationship between us. Therefore, your communication with us via this information in any form will not be considered as privileged or confidential.

This information is not intended to be advertising, and Legal & Compliance, LLC does not desire to represent anyone desiring representation based upon viewing this information in a jurisdiction where this information fails to comply with all laws and ethical rules of that jurisdiction. This information may only be reproduced in its entirety (without modification) for the individual reader’s personal and/or educational use and must include this notice.

The SEC Has Issued New Guidance On Cybersecurity Disclosures

Posted on March 27, 2018March 29, 2018 by Laura Anthony, Esq.

On February 20, 2018, the SEC issued new interpretative guidance on public company disclosures related to cybersecurity risks and incidents. In addition to addressing public company disclosures, the new guidance reminds companies of the importance of maintaining disclosure controls and procedures to address cyber-risks and incidents and reminds insiders that trading while having non-public information related to cyber-matters could violate federal insider-trading laws.

The prior SEC guidance on the topic was dated, having been issued on October 13, 2011. For a review of this prior guidance, see HERE. The new guidance is not dramatically different from the 2011 guidance.

Introduction

The topic of cybersecurity has been in the forefront in recent years, with the SEC issuing a series of statements and creating two new cyber-based enforcement initiatives targeting the protection of retail investors, including protection related to distributed ledger technology (DLT) and initial coin or cryptocurrency offerings (ICO’s). Moreover, the SEC has asked the House Committee on Financial Services to increase the SEC’s budget by $100 million to enhance the SEC’s cybersecurity efforts. See my two-part blog series, including a summary of the recent speeches and initiatives, HERE and HERE.

The SEC incorporates cybersecurity considerations in its disclosure and supervisory programs, including in the context of its review of public company disclosures, its oversight of critical market technology infrastructure, and its oversight of other regulated entities, including broker-dealers, investment advisors and investment companies. Considering rapidly changing technology and the proliferation of cybersecurity incidents affecting both private and public companies (including a hacking of the SEC’s own EDGAR system and a hacking of Equifax causing a loss of $5 billion in market cap upon disclosure), threats and risks, public companies have been anticipating a needed update on the SEC disclosure-related guidance.

SEC Commissioner Kara Stein’s statement on the new guidance is grim on the subject, pointing out that the risks and costs of cyberattacks have been growing and could result in devastating and long-lasting collateral affects. Commissioner Stein cites a Forbes article estimating that cyber-crime will cost businesses approximately $6 trillion per year on average through 2021 and an Accenture article citing a 62% increase in such costs over the last five years.

Commissioner Stein also discusses the inadequacy of the 2011 guidance in practice and her pessimism that the new guidance will properly fix the issue. She notes that most disclosures are boilerplate and do not provide meaningful information to investors despite the large increase in the number and sophistication of, and damaged caused by, cyberattacks on public companies in recent years. Commissioner Stein includes a list of requirements that she would have liked to see in the new guidance, including, for example, a discussion of the value to investors of disclosing whether any member of a company’s board of directors has experience, education, expertise or familiarity with cybersecurity matters or risks.

I have read numerous media articles and blogs related to the disclosure of cyber-matters in SEC reports. One such blog was written by Kevin LaCroix and published in the D&O Diary. Mr. LaCroix’s blog points out that according to a September 19, 2016, Wall Street Journal article, cyber-attacks are occurring more frequently than ever but are rarely reported. The article cites a report that reviewed the filings of 9,000 public companies from 2010 to the present and found that only 95 of these companies had informed the SEC of a data breach.

As reported in a blog published by Debevoise and Plimpton, dated September 12, 2016, (thank you, thecorporatecounsel.net), a review of Fortune 100 cyber-reporting practices revealed that most disclosures are contained in the risk-factor section of regular periodic reports such as Forms 10-Q and 10-K, as opposed to interim disclosures in a Form 8-K. Moreover, only 20 incidents were reported at all in the period from January 2013 through the third quarter of 2015.

However, as Commissioner Stein notes, the SEC only has so much authority or power through guidance, as opposed to rulemaking. Commissioner Stein strongly advocates for new rulemaking in this regard. I do not think in the current environment advocating for fewer rules, that rulemaking related to cybersecurity disclosure will be made a priority. Moreover, I would not advocate for in-depth or robust further rules. Disclosure is based on materiality, and a company has an ongoing obligation to disclose any material information, including that which is related to cybersecurity matters. I think the SEC can question principals-based specific disclosures, and whether they are robust enough, through review and comment on public company filings. Certainly, the SEC staff, who reviews thousands of filings, has the knowledge of a lack of cybersecurity disclosure and can comment. In fact, if the SEC wrote a few standard cybersecurity-related disclosure comments and included them in a lot of comment letters, the marketplace would respond accordingly and beef up disclosure to avoid the comments.

Although I do not generally advocate for additional rules, Commissioner Stein makes one suggestion that I would support and that is adding the disclosure of cybersecurity event to the Form 8-K filing requirements. Although the new SEC guidance does not specifically require a Form 8-K, in light of the importance of these events, it seems it would be appropriate and the guidance itself requires “timely disclosure.” However, without a specific requirement, a company could elect to disclose via a press release and/or the filing of a Form 8-K under Item 7.01 Regulation FD disclosure. When disclosing using a press release and Regulation FD item in a Form 8-K, a company may elect for the information to be “furnished, not filed.” Section 18 of the Exchange Act imposes liability for material misstatements or omissions contained in reports and other information filed with the SEC. However, reports and other information that are “furnished” to the SEC do not impose liability under Section 18. The antifraud provisions under Rule 10b-5 would still apply to the disclosure, but the stricter Section 18 liability would not.

New Guidance on Public Company Cybersecurity Disclosures

The new guidance begins with an introduction describing the importance of cybersecurity in today’s business world, driving the point home by comparing it to the importance of electricity. Cyber-incidents can take many forms, both intentional and unintentional, and commonly include the unauthorized access of information, including personal information related to customers’ accounts or credit information, data corruption, misappropriating assets or sensitive information or causing operational disruption. Attacks use increasingly complex methods, including malware, ransomware, phishing, structured query language injections and distributed denial-of-service attacks. A cyber-attack can be in the form of unauthorized access or a blocking of authorized access.

The purpose of a cyber-attack can vary as much as the methodology used, including for financial gain such as the theft of financial assets, intellectual property or sensitive personal information on the one hand, to a vengeful or terrorist motive through business disruption on the other hand. Perpetrators may be insiders and affiliates, or third parties including cybercriminals, competitors, nation-states and “hacktivists.”

When victim to a cyber-attack or incident, a company will have direct financial and indirect negative consequences, including but not limited to:

Remediation costs, including liability for stolen assets, costs of repairing system damage, and incentives or other costs associated with repairing customer and business relationships;
Increased cybersecurity protection costs to prevent both future attacks and the potential damage caused by same. These costs include organizational changes, employee training and engaging third-party experts and consultants;
Lost revenues from unauthorized use of proprietary information and lost customers;
Litigation;
Increased insurance premiums;
Damage to the company’s competitiveness, stock price and long-term shareholder value; and
Reputational damage.

Whereas the 2011 disclosure guidance was conservative in its tone, trying to strike a balance between satisfying the disclosure mandates of providing material information related to risks to the investing community with a company’s need to refrain from providing disclosure that could, in and of itself, provide a road map to the very breaches a company attempts to prevent, the new guidance is more blunt in the critical need to inform investors about material cybersecurity risks and incidents when they occur.

A company’s ability to timely and properly make any required disclosure of cybersecurity risks and incidents requires the company to implement and maintain disclosure controls and procedures that provide an appropriate method of discerning the impact that such matters may have on the company and its business, financial condition, and results of operations, as well as a protocol to determine the potential materiality of such risks and incidents.

Insider Trading

It is also important that public company officers, directors and other insiders respect the importance and materiality of cybersecurity risk and incident knowledge and not trade a company’s security when in possession of non-public information related to cybersecurity matters. In that regard, companies should include cybersecurity matters in their insider trading policies and procedures. These insider trading policies should (i) guard against trading in the period between when a company learns of a cybersecurity incident and the time it is made public; and (ii) require the timely disclosure of such non-public information.

Guidance

Public companies have many disclosure requirements, including through periodic reports on Forms 10-K, 10-Q and 8-K, through Securities Act registration statements such as on Forms S-1 and S-3 and generally through the antifraud provisions of both the Exchange Act and Securities Act, which requires a company to disclose “such further material information, if any, as may be necessary to make the required statements, in light of the circumstances under which they are made, not misleading.” The SEC considers omitted information to be material if there is a substantial likelihood that a reasonable investor would consider the information important in making an investment decision or that disclosure of the omitted information would have been viewed by the reasonable investor as having significantly altered the total mix of information available.

As with all disclosure requirements, the disclosure of cybersecurity risk and incidents requires a materiality analysis. Although there continues to be no specific disclosure requirement or rule under either Regulation S-K or S-X that addresses cybersecurity risks, attacks or other incidents, many of the disclosure rules encompass these disclosures indirectly, such as risk factors, internal control assessments, management discussion and analysis, legal proceedings, disclosure controls and procedures, corporate governance and financial statements. As mentioned, as with all other disclosure requirements, an obligation to disclose cybersecurity risks, attacks or other incidents may be triggered to make other required disclosures not misleading considering the circumstances.

A company has two levels of cybersecurity disclosure to consider. The first is its controls and procedures and corporate governance to both address cybersecurity matters themselves and to address the timely and thorough reporting of same. The second is the reporting of actual incidents. In determining the materiality of a particular cybersecurity incident, a company should consider (i) the importance of any compromised information; (ii) the impact of an incident on company operations; (iii) the nature, extent and potential magnitude of the event; and (iv) the range of harm such incident can cause, including to reputation, financial performance, customer and vendor relationships, litigation or regulatory investigations.

Of course, the new guidance is also clear that a company would not need to disclose the depth of information that could, in and of itself, provide information necessary to breach cyber-defenses. A company would not need to disclose specific technical information about cybersecurity systems, related networks or devices or specific devices and networks that may be more susceptible to attack due to weaker systems.

The new guidance also reminds companies that they have a duty to correct prior disclosures that the company determines were untrue at the time material information was made or omitted, and to update disclosures that become inaccurate after the fact.

Like the prior guidance, the new guidance provides specific input into areas of disclosure.

Risk Factors

Obviously, where appropriate, cybersecurity risks need to be included in risk factor disclosures. The SEC guidance in this regard is very common-sense. Companies should evaluate their cybersecurity risks and take into account all available relevant information, including prior cyber-incidents and the severity and frequency of those incidents. Companies should consider the probability of an incident and the quantitative and qualitative magnitude of the risk, including potential costs and other consequences of an attack or other incident. Consideration should be given to the potential impact of the misappropriation of assets or sensitive information, corruption of data or operational disruptions. A company should also consider the adequacy of preventative processes and plans in place should an attack occur. Actual threatened attacks may be material and require disclosure.

As with all risk-factor disclosures, the company must adequately describe the nature of the material risks and how such risks affect the company. Likewise, generic risk factors that could apply to all companies should not be included. Risk factor disclosure may include:

Discussion of the company’s business operations that give rise to material cybersecurity risks and the potential costs and consequences, including industry specific risks and third-party and service-provider risks;
The costs associated with maintaining cybersecurity protections, including insurance coverage;
The probability of an occurrence and its potential magnitude;
Potential for reputational harm;
Description of past incidents, including their severity and frequency;
The adequacy of preventative actions taken to reduce cybersecurity risks and the associated costs, including any limits on the company’s ability to prevent or mitigate risks;
Existing and pending laws and regulations that may affect the companies cybersecurity requirements and the associated costs; and
Litigation, regulatory investigation and remediation costs associated with cybersecurity incidents.

Management Discussion and Analysis (MD&A)

In MD&A a company should consider all the same factors that it would consider in its risk factors. A company would need to include discussion of cybersecurity risks and incidents in its MD&A if the costs or other consequences associated with one or more known incidents or the risk of potential future incidents result in a material event, trend or uncertainty that is reasonably likely to have a material effect on the company’s results of operations, liquidity or financial condition, or could impact previously reported financial statements. The discussion should include any material realized or potential reduction in revenues, loss of intellectual property, remediation efforts, maintaining insurance, increase in cybersecurity protection costs, addressing harm to reputation and litigation and regulatory investigations. Furthermore, even if an attack did not result in direct losses, such as in the case of a failed attempted attack, but does result in other consequences, such as a material increase in cybersecurity expenses, disclosure would be appropriate.

Business Description; Legal Proceedings

Disclosure of cyber-related matters may be required in a company’s business description where they affect a company’s products, services, relationships with customers and suppliers or competitive conditions. Likewise, material litigation would need to be included in the “legal proceedings” section of a periodic report or registration statement. The litigation disclosure should include any proceedings that relate to cybersecurity issues.

Financial Statements

Cyber-matters may need to be included in a company’s financial statements prior to, during and/or after an incident. Costs to prevent cyber-incidents are generally capitalized and included on the balance sheet as an asset. GAAP provides for specific recognition, measurement and classification treatment for the payment of incentives to customers or business relations, including after a cyber-attack. Cyber-incidents can also result in direct losses or the necessity to account for loss contingencies, including those related to warranties, direct loss of revenue, providing customers with incentives, breach of contract, product recall and replacement, indemnification or remediation. Incidents can result in loss of, and therefore accounting impairment to, goodwill, intangible assets, trademarks, patents, capitalized software and even inventory. Financial statement disclosure may also include expenses related to investigation, breach notification, remediation and litigation, including the costs of legal and other professional service providers.

Broad Risk Oversight

A company must disclose the extent of its board of directors’ role in the risk oversight of the company, such as how the board administers its oversight function and the effect this has on the board’s leadership structure. To the extent cybersecurity risks are material to a company’s business, this discussion should include the nature of the board’s role in overseeing the management of that risk. Information should also be included on how the board engages with management on cybersecurity risk management.

Controls and Procedures

The new guidance clearly provides that companies should adopt comprehensive policies and procedures related to cybersecurity and to assess their compliance regularly, including policy/procedure compliance related to the sufficiency of disclosure controls and procedures. Procedures must address a company’s ability to record, process, summarize and report financial and other information in SEC filings. Additionally, any deficiency in these controls and procedures should be reported.

The SEC reminds companies that their principal executive officer and principal financial officer must make individual certifications regarding the design and effectiveness of disclosure controls and procedures. These certifications should take into account cybersecurity-related controls and procedures.

Furthermore, as discussed above, a company should have proper policies and procedures preventing officers, directors and other insiders from trading on material nonpublic information related to cybersecurity risks and incidents.

Regulation FD and Selective Disclosure

Companies may have disclosure obligations under Regulation FD related to cybersecurity matters. Under Regulation FD, “when an issuer, or person acting on its behalf, discloses material nonpublic information to certain enumerated persons it must make public disclosure of that information.” The SEC reminds companies that these requirements also relate to cybersecurity matters and that, along with all the other disclosure requirements, policies and procedures should specifically address any disclosures of material non-public information related to cybersecurity.

The 2017 SEC Government-Business Forum On Small Business Capital Formation

Posted on March 13, 2018March 29, 2018 by Laura Anthony, Esq.

On November 30, 2017, the SEC held its annual Government-Business Forum on Small Business Capital Formation (the “Forum”). It will be several months until the final report with recommendations from the forum is published, but the opening remarks from SEC Chair Jay Clayton and Commissioners Kara Stein and Michael Piwowar provide ongoing and consistent guidance as to the current focus of the SEC. For a review of the recommendations by last year’s forum, see HERE.

As expected, the topics of cryptocurrency and ICO’s were front and center at the Forum. In his opening remarks at the Forum, Division of Corporation Finance Director William Hinman confirmed that the SECbelieves that ICO’s generally involve securities offerings and that the securities laws must be complied with. Hinman continued that the SEC is providing guidance through enforcement and public statements on the topic.

As with other statements and speeches, the SEC hedges by pointing out the validity of an ICO as a capital raising tool, and of course, the innovation potential of blockchain. The SEC is not trying to discourage ICO’s or blockchain innovation; they are trying to discourage ICO’s that fail to comply with securities laws, and the unfortunate, multiple frauds being perpetuated as a result of the frenzy surrounding this new technology.

Remarks by Chairman Jay Clayton

Chair Clayton is consistent with the theme he has been putting forth since taking office: The SEC is committed to helping Main Street investors. The Forum provides a key opportunity for the small-cap marketplace to have their voices heard regarding issues and desired changes to federal securities regulations and the regulatory system.

Chair Clayton reiterates the SEC’s three-part mission to (i) protect investors; (ii) maintain fair, orderly and efficient markets; and (iii) facilitate capital formation. Furthermore, although capital formation is important for all businesses, small and medium-sized businesses contribute the most to U.S. job creation, generating 62% of new jobs. Along the same lines, the SEC wants to open more investment opportunities into small businesses for Main Street investors. In that regard, Jay Clayton points out the Regulation A public offering process. As an aside, I was happy to see him recognize Regulation A as an IPO, whereas when he first took office, he seemed to view Regulation A as outside the IPO realm.

Remarks by Commissioner Michael Piwowar

Michael Piwowar’s statement was short and pointed. As anyone that follows my blog knows, I am a fan of Piwowar, agreeing with most of his views, and more so his willingness to express those views, even when contrary to other SEC chiefs or the legislature. Mr. Piwowar has been vocal about his disagreement with the pay ratio disclosure requirements mandated by the Dodd-Frank Act and uses his statement as an opportunity to reiterate that view, while pointing out that the recent interpretative guidance on the subject will help with the compliance burden. I have not written about that guidance as of yet, but my prior blog on the pay ratio rules can be read HERE.

Commissioner Piwowar also points out other SEC actions to assist with small businesses and capital formation, including the newest proposed rules to modernize and simplify disclosures (see HERE) and the SEC’s action to allow all companies to file confidential registration statements (see HERE).

Commissioner Piwowar ends his statement by promising that he will personally give careful consideration to this year’s recommendations of the Forum. I hope so, as the recommendations are always on point to assist the small-cap marketplace.

Remarks by Commissioner Kara Stein

Commissioner Stein began with the usual niceties regarding the forum and its importance for communication between regulators and the small-cap market. Adding her own perspective, Commissioner Stein points out that a lot of the SEC’s effort and rules are “designed to facilitate trust between… market participants – the small businesses seeking to raise capital, the investors who wish to support their growth, and their service providers.” Continuing to add her own unique voice, Ms. Stein talked about the need for diversity of companies and investors and bringing capital raising (and a voice in the process) to different parts of the country.

The Senate Banking Committee’s Hearing On Cryptocurrencies

Posted on March 6, 2018March 29, 2018 by Laura Anthony, Esq.

On February 6, 2018, the United States Senate Committee on Banking Housing and Urban Affairs (“Banking Committee”) held a hearing on “Virtual Currencies: The Oversight Role of the U.S. Securities and Exchange Commission and the U.S. Commodity Futures Trading Commission.” Both SEC Chairman Jay Clayton and CFTC Chairman J. Christopher Giancarlo testified and provided written testimony. The marketplace as a whole had a positive reaction to the testimony, with Bitcoin prices immediately jumping up by over $1600. This blog reviews the testimony and provides my usual commentary.

The SEC and CFTC Share Joint Regulatory Oversight

The Banking Committee hearing follows SEC and CFTC joint statements on January 19, 2018 and a joint op-ed piece in the Wall Street Journal published on January 25, 2018 (see HERE). As with other areas in capital markets, such as swaps, the SEC and CFTC have joint regulatory oversight over cryptocurrencies. Where the SEC regulates securities and securities markets, the CFTC does the same for commodities and commodity markets.

Bitcoin has been determined to be a commodity and as such, the CFTC has regulatory oversight over futures, options, and derivatives contracts on virtual currencies and has oversight to pursue claims of fraud or manipulation involving a virtual currency traded in interstate commerce. Nevertheless, the CFTC does NOT have regulatory jurisdiction over markets or platforms conducting cash or “spot” transactions in virtual currencies or other commodities or over participants on such platforms. These spot virtual currency or cash markets often self-certify or are subject to state regulatory oversight. However, the CFTC does have enforcement jurisdiction to investigate fraud and manipulation in virtual currency derivatives markets and in underlying virtual currency spot markets.

The SEC does not have jurisdiction over currencies, including true virtual currencies. However, many, if not all, token offerings have been for the purpose of raising capital and have involved speculative investment contracts, thus implicating the jurisdiction of the SEC, in the offering and secondary trading markets.

Chair Clayton repeated that “every ICO I’ve seen is a security,” and added, “[T]hose who engage in semantic gymnastics or elaborate re-structuring exercises in an effort to avoid having a coin be a security are squarely in the crosshairs of our enforcement division.” Chair Clayton is very concerned that Main Street investors are getting caught up in the hype and investing money they cannot afford to lose, without proper (if any) disclosure, and without understanding the risks. He also reiterates previous messaging that to date no ICO has been registered with the SEC and that ICO’s are international in nature such that the SEC may not be able to recover lost funds or effectively pursue bad actors. Cybersecurity is also a big risk associated with ICO investments and the cryptocurrency market as a whole. Chair Clayton cites a study that more than 10% of total ICO proceeds, estimated at over $400 million, has been lost to hackers and cyberattacks.

It is becoming increasingly certain that the U.S. will impose a new regulatory regime over those tokens that are not a true cryptocurrency, which would likely include all tokens issued on the Ethereum blockchain for capital raising purposes. Clayton made the distinction between Bitcoin, which is decentralized, on a public Blockchain and mined or produced by the public and other “securities tokens” which are the cryptocurrencies that developed by an organization and created and issued primarily for capital formation and secondary trading.

Many tokens are being fashioned that outright and purposefully resemble equity in an enterprise as a new way to represent equity and capital ownership. Clearly this falls directly within the SEC jurisdiction, and state corporate regulatory oversight as well. Furthermore, there are instances where a token is issued in a capital-raising securities offering and later becomes a commodity, or instances where a token securities offering is bundled to include options or futures contracts, implicating both SEC and CFTC compliance requirements.

In the Banking Committee testimony, the SEC and CFTC presented a united front, confirming that they are cooperating and working together to ensure effective oversight. Both agencies have established virtual currency task forces and their respective enforcement divisions are cooperating and sharing information. Also, both agencies have launched efforts to educate the public on virtual currencies, with the CFTC publishing numerous articles and creating a dedicated “Bitcoin” webpage.

In addition to cooperating with each other, they are also cooperating and communicating with the NASAA, the Consumer Financial Protection Bureau, FinCen, the IRS, state regulators and others.

The Technology

Consistent with all statements by the regulators, both the SEC and CFTC agree that that blockchain technology is disruptive and has the potential to, and likely will, change the capital markets. Moreover, both agencies consistently reiterate their support of these changes and desire to foster innovation. In fact, the new technology has the potential to help regulators better monitor transactions, holdings and obligations and other market activities.

Chair Giancarlo’s testimony states that “DLT is likely to have a broad and lasting impact on global financial markets in payments, banking, securities settlement, title recording, cyber security and trade reporting and analysis. When tied to virtual currencies, this technology aims to serve as a new store of value, facilitate secure payments, enable asset transfers, and power new applications.” In addition, smart contracts have the ability to value themselves in real time and report information to data repositories.

However, regulation and oversight need to be fashioned that properly address the new technology and business operations. Both agencies are engaging in discussions with industry participants at all levels. A few of the key issues that will need to be resolved include custody, liquidation, valuation, cybersecurity at all levels, governance, clearing and settlement, and anti-money laundering and know-your-customer matters.

Overall, Chair Giancarlo seemed more positive and excited about blockchain and Bitcoin, pointing out current uses including a recent transaction where 66 million tons of American soybeans were handled in a blockchain transaction to China. Chair Clayton, while likely also very enthusiastic about the technology, is currently more focused on the fraud and misuse that has consumed this space recently.

Current Regulations and Needed Change

While the agencies investigate and review needed changes to the regulatory environment, both maintain that current regulations can be relied upon to address the current state of the market. On the SEC side, Chair Clayton walked the Banking Committee through previous SEC statements and the DAO Section 21(a) report issued in July 2017. He again confirmed that the Howey Test remains the appropriate standard for determining whether a particular token involves an investment contract and the application of the federal securities laws. The current registration and exemption requirements are also appropriate for ICO offerings. An issuer can either register an offering, or rely on exemptions such as Regulation D for any capital-raising transaction, including those involving tokens.

Conversely, the current regulatory framework related to exchange traded fund products (ETF’s) needs some work before a virtual currency product could be approved. Issues remain surrounding liquidity, valuation, custody of holdings, creation, redemption and arbitrage. In that regard, in a coming blog, I will review an SEC letter dated January 18, 2018 entitled “Engaging on Fund Innovation and Cryptocurrency-related Holdings” outlining why a crypto-related ETF would not be approved at this time. Senator Mark Warner was quick to point out that there seems to be a regulatory disconnect where an SEC governed ETF is not approved, but a CFTC-governed Bitcoin future is allowed.

The current federal broker-dealer registration requirements remain the best test to determine if an exchange or other offering participant is required to be registered and a member of FINRA. Chair Clayton repeats his warning shot to gatekeepers such as attorneys and accountants that are involved in ICO’s and the crypto marketplace as a whole. Chair Clayton expresses concern that crypto markets often look similar to regulated securities markets and even are called “exchanges”; however, “investors transacting on these trading platforms do not receive many of the market protections that they would when transacting through broker-dealers on registered exchanges or alternative trading systems (ATSs), such as best execution, prohibitions on front running, short sale restrictions, and custody and capital requirements.”

CFTC Chair Giancarlo reiterated that current regulations related to futures, options, and derivatives contracts, and the registration (or lack thereof through self-certification) of spot currency exchanges are being utilized in the virtual currency market. However, the part of the regulatory system that completely defers to state law may need change. In particular, check cashing, payment processing and money transmission services are primarily state regulated. Many of the Internet-based cryptocurrency trading platforms have registered as payment services and are not subject to direct oversight by the SEC or the CFTC, and both agencies expressed concern about this jurisdictional gap.

Giancarlo was especially critical of this state-by-state approach and suggested new federal legislation, including legislation related to data reporting, capital requirements, cybersecurity standards, measures to prevent fraud, price manipulation, anti-money laundering, and “know your customer” protections. “To be clear, the CFTC does not regulate the dozens of virtual currency trading platforms here and abroad,” Giancarlo said, clarifying that the CFTC can’t require cyber-protections, platform safeguards and other things that consumers might expect from traditional marketplaces.

Chair Clayton expressed the same concerns, especially the lack of protections for Main Street investors. Chair Clayton stated, “I think our Main Street investors look at these virtual currency platforms and assume they are regulated in the same way that a stock is regulated and, as I said, it’s far from that and I think we should address that.”

I am always an advocate of federal oversight of capital markets matters that cross state lines. A state-by-state approach is always inconsistent, expensive, and inefficient for market participants.

Both agencies are clear that regardless of the technology and nomenclature, they are and will continue to actively pursue cases of fraud and misconduct. Current regulations or questions related to needed changes do not affect this role. However, Chair Clayton did impress upon the Banking Committee that the current hiring freeze and budgetary restraints are an impediment. The SEC specifically needs more attorneys in their enforcement and trading and markets divisions.

Further Reading on DLT/Blockchain and ICO’s

For an introduction on distributed ledger technology, including a summary of FINRA’s Report on Distributed Ledger Technology and Implication of Blockchain for the Securities Industry, see HERE.

For a summary of SEC Chief Accountant Wesley R. Bricker’s statements on ICO’s and accounting implications, see HERE.

For an update on state distributed ledger technology and blockchain regulations, see HERE.

For a summary of the SEC and NASAA statements on ICO’s and updates on enforcement proceedings as of January 2018, see HERE.

For a summary of the SEC and CFTC joint statements on cryptocurrencies, including The Wall Street Journalop-ed article and information on the International Organization of Securities Commissions statement and warning on ICO’s, see HERE.

For a review of the CFTC role and position on cryptocurrencies, see HERE.

Inquiries of a technical nature are always encouraged. Contact us now.

The CFTC And Cryptocurrencies

Posted on February 20, 2018March 29, 2018 by Laura Anthony, Esq.

The SEC and U.S. Commodity Futures Trading Commission (CFTC) have been actively policing the crypto or virtual currency space. Both regulators have filed multiple enforcement actions against companies and individuals for improper activities including fraud. On January 25, 2018, SEC Chairman Jay Clayton and CFTC Chairman J. Christopher Giancarlo published a joint op-ed piece in the Wall Street Journal on the topic.

Backing up a little, on October 17, 2017, the LabCFTC office of the CFTC published “A CFTC Primer on Virtual Currencies” in which it defines virtual currencies and outlines the uses and risks of virtual currencies and the role of the CFTC. The CFTC first found that Bitcoin and other virtual currencies are properly defined as commodities in 2015. Accordingly, the CFTC has regulatory oversight over futures, options, and derivatives contracts on virtual currencies and has oversight to pursue claims of fraud or manipulation involving a virtual currency traded in interstate commerce. Beyond instances of fraud or manipulation, the CFTC generally does not oversee “spot” or cash market exchanges and transactions involving virtual currencies that do not utilize margin, leverage or financing. Rather, these “exchanges” are regulated as payment processors or money transmitters under state law.

The role of the CFTC is substantially similar to the SEC with a mission to “foster open, transparent, competitive and financially sound markets” and to “protect market users and their funds, consumers and the public from fraud, manipulation and abusive practices related to derivatives and other products subject to the Commodity Exchange Act (CEA).” The definition of a commodity under the CEA is as broad as the definition of a security under the Securities Act of 1933, including a physical commodity such as an agricultural product, a currency or interest rate or “all services, rights and interests in which the contracts for future delivery are presently or in the future dealt in” (i.e., futures, options and derivatives contracts).

Where the SEC regulates securities and securities markets, the CFTC does the same for commodities and commodity markets. At times the jurisdiction of the two regulators overlaps, such as related to swap transactions (see HERE). Furthermore, while there are no SEC licensed securities exchanges which trade virtual currencies or any tokens, there are several commodities exchanges that trade virtual currency products such as swaps and options, including the TeraExchange, North American Derivatives Exchange and LedgerX.

The Commodity Exchange Act would prohibit the trading of a virtual currency future, option or swap on a platform or facility not licensed by the CFTC. Moreover, the National Futures Association (NFA) is now requiring member commodity pool operators (CPO’s) and commodity trading advisors (CTA’s) to immediately notify the NFA if they operate a pool or manage an account that engaged in a transaction involving a virtual currency or virtual currency derivative.

The CFTC refers to the IRS’s definition of a “virtual currency” and in particular:

A virtual currency is a digital representation of value that functions as a medium of exchange, a unit of account, and/or a store of value. In some environments it operates like real currency but it does not have legal tender status in the U.S. Virtual currency that has an equivalent value in real currency, or that acts as a substitute for real currency, is referred to as a convertible virtual currency. Bitcoin is one example of a convertible virtual currency.

I note that neither the CFTC’s definition of Bitcoin as a commodity, nor the IRS’s definition of a virtual currency, conflicts with the SEC’s position that most cryptocurrencies and initial cryptocurrency offerings today are securities requiring compliance with the federal securities laws. The SEC’s position is based on an analysis of the current market for ICO’s and the issuance of “coins” or “tokens” for capital raising transactions and as speculative investment contracts. In fact, a cryptocurrency which today may be an investment contract (security) can morph into a commodity (currency) or other type of digital asset. For example, an offering of XYZ token for the purpose of raising capital to build a software or blockchain platform or community where XYZ token can be used as a currency would rightfully be considered a securities offering that needs to comply with the federal securities laws. However, when the XYZ token is issued and can be used as a form of currency, it would become a commodity. Furthermore, the bundling of a token securities offering to include options or futures contracts may implicate both SEC and CFTC compliance requirements.

The CFTC primer gives a little background on Bitcoin, which was created in 2008 by a person or group using the pseudonym “Satoshi Nakamoto” as an electric payment system based on cryptographic proof allowing any two parties to transact directly without the need for a trusted third party, such as a bank or credit card company. Bitcoin is partially anonymous, with individuals being identified by an alphanumeric address. Bitcoin runs on a blockchain-decentralized network of computers and uses open-source software and “miners” to validate transactions through solving complex algorithmic mathematical equations.

A virtual currency can be used as a store of value; however, virtual currencies are not a yield asset in that they do not generate dividends or interest. Virtual currencies can generally be traded with resulting capital gains or losses. The CFTC, like all regulators, points out the significant speculation and volatility risk. The CFTC reiterates the large incidents of fraud involving crypto marketplaces. Furthermore, there is a significant cybersecurity risk. If a “wallet” holding cryptosecurities is hacked, they are likely gone without a chance of recovery.

Although many virtual currencies, including Bitcoin, market themselves as a payment method, the ability to utilize Bitcoin and other virtual currencies for everyday goods and services has not yet come to fruition. In fact, the trend toward Bitcoin being a regularly accepted payment has seemed to have gone the other way, with payment processor Stripe, tech giant Microsoft and gaming platform Steam discontinuing Bitcoin support due to lengthy transaction times and increased transaction failure rates.

Further Reading on DLT/Blockchain and ICO’s

For an introduction on distributed ledger technology, including a summary of FINRA’s Report on Distributed Ledger Technology and Implication of Blockchain for the Securities Industry, see HERE.

For a summary of SEC Chief Accountant Wesley R. Bricker’s statements on ICO’s and accounting implications, see HERE.

For an update on state distributed ledger technology and blockchain regulations, see HERE.

For a summary of the SEC and NASAA statements on ICO’s and updates on enforcement proceedings as of January 2018, see HERE.

To read about the SEC and CFTC joint statements and the Wall Street Journal op-ed article, see HERE.

Inquiries of a technical nature are always encouraged. Contact us now.

The SEC And CFTC Joint Statements On Cryptocurrencies; Global Regulators Join In

Posted on February 6, 2018March 29, 2018 by Laura Anthony, Esq.

On January 19, 2018 and again on January 25, 2018, the SEC and CFTC divisions of enforcement issued joint statements regarding cryptocurrencies. The January 19 statement was short and to the point, reading in total:

“When market participants engage in fraud under the guise of offering digital instruments – whether characterized as virtual currencies, coins, tokens, or the like – the SEC and the CFTC will look beyond form, examine the substance of the activity and prosecute violations of the federal securities and commodities laws. The Divisions of Enforcement for the SEC and CFTC will continue to address violations and bring actions to stop and prevent fraud in the offer and sale of digital instruments.”

The January 25, 2018 statement was issued by SEC Chairman Jay Clayton and CFTC Chairman J. Christopher Giancarlo and was published as an op-ed piece in the Wall Street Journal. In summarizing the statements, I add my usual commentary and facts and information on this fast-moving marketplace.

Distributed ledger technology, or DLT, is the advancement that underpins an array of new financial products, including cryptocurrencies and digital payment services. Clearly the regulators understand the technological disruption, pointing out that “[S]ome have even compared it [DLT] to productivity-driving innovations such as the steam engine and personal computer.”

The regulators are careful not to discourage the technological advancement or investments themselves but rather are concerned that only those that are sophisticated and can afford a loss, participate. Likewise, unfortunately with every boom comes fraudsters, and investors have to ask the right questions and perform the right due diligence.

Like the dot-com era, of the hundreds (or thousands) of companies popping up in this space, few will survive and investments in those that do not, will be lost. The message from the regulators remains consistent, cautioning investors about the high risks with investments in this new space and stating that “[T]he CFTC and SEC, along with other federal and state regulators and criminal authorities, will continue to work together to bring transparency and integrity to these markets and, importantly, to deter and prosecute fraud and abuse.”

While the initial cryptocurrencies, like bitcoin and ether, were likened to a payment alternative to fiat currencies like the dollar and euro, these alternative currencies are very different. None are backed by a sovereign government, and they lack governance standards, accountability and oversight, reliable reporting of trading, or consistent reporting of price and other financial metrics.

Of course, this is an exciting era of development and Chairs Clayton and Giancarlo know that, stating:

“This is not a statement against investments in innovation. The willingness to pursue the commercialization of innovation is one of America’s great strengths. Together Americans embrace new technology and contribute resources to developing it. Through great human effort and competition, strong companies emerge. Some of the dot-com survivors are the among the world’s leading companies today. This longstanding, uniquely American characteristic is the envy of the world. Our regulatory efforts should embrace it.”

The SEC and CFTC are considering whether the historic approach to the regulation of currency transactions is appropriate for the cryptocurrency markets. Check cashing, payment processing and money transmission services are primarily state regulated. Many of the Internet-based cryptocurrency trading platforms have registered as payment services and are not subject to direct oversight by the SEC or the CFTC. For example, Coinbase has money transmitting licenses from the majority of states. Gemini is a licensed trust company with the New York State of Financial Services. Furthermore, the Bank Secrecy Act and its anti-money laundering (AML) requirements apply to those in the business of accepting and transmitting, selling or storing cryptocurrencies.

Not a single cyptocurrency trading platform is currently registered by the SEC or CFTC. However, two CFTC regulated exchanges have now listed bitcoin futures products and, in doing so, engaged in lengthy conversations with the CFTC, ultimately agreeing to implement risk mitigation and oversight measures, heightened margin requirements, and added information sharing agreements with the underlying bitcoin trading platforms. In my next blog I will drill down on the CFTC’s regulatory role and position on cryptocurrencies including a discussion of its October 17, 2017 published article, “A CFTC Primer on Virtual Currencies.”

The SEC does not have jurisdiction over transactions involving currencies or commodities; however, where an offering of a cryptocurrency has characteristics of a securities offering, the SEC and state securities regulators have, and have exercised, jurisdiction. In addition to the many SEC enforcement proceedings I have written about, state regulators have likewise been very active in the enforcement arena against those offering cryptocurrency- or blockchain-related investments. The SEC is carefully monitoring the entire marketplace including issuers, broker-dealers, investment advisors and trading platforms. On January 18, 2018, the SEC issued a no-action letter prohibiting the registration under the Investment Company Act of 1940 of U.S. investment funds that desire to invest substantially in cryptocurrency and related products. I will provide further details on this letter in an upcoming blog.

As the boom has continued, many cryptocurrencies are simply being marketed for their potential increase in value on secondary trading platforms, again none of which are licensed by the SEC or CFTC. The utility side of the tokens (if any) has taken a back seat to the craze. Although a few trading platforms are licensed by state regulators as payment processors, many overseas are not licensed by any regulator whatsoever.

As the SEC has been repeating, the op-ed piece again clearly states that “federal securities laws apply regardless of whether the offered security—a purposefully broad and flexible term—is labeled a ‘coin’ or ‘utility token’ rather than a stock, bond or investment contract. Market participants, including lawyers, trading venues and financial services firms, should be aware that we are disturbed by many examples of form being elevated over substance, with form-based arguments depriving investors of mandatory protections.”

While attending the North American Bitcoin Conference in Miami a few weeks ago, I was amazed at the thousands of attendees and companies. I go to a lot of financial conferences and had never seen anything like this. I understand the concerns of the regulators and the need to issue constant warnings. While I met some extremely smart people and learned about great companies that could have hugely successful futures, many others were obviously trying to ride a boom, with nothing to offer. They lacked a strong management team, technological know-how, engineers and programmers, a real business, a real plan, or anything to support lasting value of the token issued in their ICO, or being touted for a future issuance. The sole opportunity for an investor was a potential increase in secondary trading value, which was being propped up with hundreds of thousands of dollars (raised in the ICO) of marketing, including crews of people paid to talk about the token on chat boards such as Telegram.

Like many practitioners, I am fascinated with the technology and disruption it will bring to many aspects of our lives including the arenas of corporate finance and trading markets, and have even invested.

International Organization of Securities Commissions Issues Warning on ICO’s

On January 18, 2018, the Board of the International Organization of Securities Commissions (“IOSCO”) issued a warning on ICO’s including the high risk associated with these speculative investments and concerns about fraud. The IOSCO is the leading international policy forum for securities regulators and is a recognized standard setter for securities regulation. The group’s members regulate more than 95% of the world’s securities markets in more than 115 jurisdictions.

The statement from IOSCO points out that ICO’s are not standardized and their legal and regulatory status depends on a facts and circumstances analysis. ICO’s are highly speculative and there is a chance that an entire investment will be lost. The warning continues:

“[W]hile some operators are providing legitimate investment opportunities to fund projects or businesses, the increased targeting of ICOs to retail investors through online distribution channels by parties often located outside an investor’s home jurisdiction — which may not be subject to regulation or may be operating illegally in violation of existing laws — raises investor protection concerns.”

The IOSCO has provided its members with information on approaches to ICO’s and related due diligence. The IOSCO has also established an ICO Consultation Network with its members to continue the discussion.

Further Reading on DLT/Blockchain and ICO’s

For an introduction on distributed ledger technology, including a summary of FINRA’s Report on Distributed Ledger Technology and Implication of Blockchain for the Securities Industry, see HERE.

For a summary of SEC Chief Accountant Wesley R. Bricker’s statements on ICO’s and accounting implications, see HERE.

For an update on state distributed ledger technology and blockchain regulations, see HERE.

For a summary of the SEC and NASAA statements on ICO’s and updates on enforcement proceedings as of January 2018, see HERE.

Inquiries of a technical nature are always encouraged. Contact us now.

An Introduction To Distributed Ledger Technology (Blockchain Technology)

Posted on August 8, 2017March 28, 2018 by Laura Anthony, Esq.

On July 13, 2017, FINRA held a Blockchain Symposium to assess the use of distributed ledger technology (DLT) in the financial industry, including the maintenance of shareholder and corporate records. DLT is commonly referred to as blockchain. The symposium included participation by the Office of the Comptroller of Currency, the US Commodity Futures Trading Commission (CFTC), the Federal Reserve Board and the SEC.

FINRA also published a report earlier in the year discussing the implications of DLT for the securities industry. Delaware, Nevada and Arizona have already passed statutes allowing for the use of DLT for corporate and shareholder records. This is the first in many blogs that will discuss DLT as this exciting new era of technology continues to unfold and impact the securities markets. In this blog I will discuss FINRA’s report published in January 2017 and in the next in the series, I will summarize the recent SEC investigative report on initial coin offerings and conclusion that cryptocurrencies and tokens are securities. In a follow-on blog, I will summarize the state blockchain legislation to date, including Delaware’s groundbreaking statute.

Blockchain is an openly distributed database which is used to continuously maintain a list of records, called blocks. Each new block is linked to prior blocks in such a way that data cannot be retroactively changed in a prior block without changing all blocks, which is virtually impossible. A DLT ledger is shared among a network of participants, instead of relying on a single central ledger.

Ultimately the blockchain technology could be used to maintain shareholder records in a secure immediate form as well as to process capital markets trades instantaneously. It is thought that stock ledgers and any transfers would be updated instantaneously, effectively allowing for T+0 settlement of trades without the need for intermediaries. A change of this magnitude is many years away as effective regulation and consideration on market impacts will take time. For more on trade settlements, see HERE.

The technology is already being utilized, most notably by the cryptocurrency industry. At least one industry leader, Overstock CEO Patrick Byrne’s t0 Technologies, has created a system that could form the basis for widely used blockchain technology which disrupts the capital market trading systems. I don’t expect quick changes to trading systems and settlement. Blockchain remains widely unregulated and without consensus from top financial regulators, any change to capital market structures will face roadblocks. However, I expect that the ability for public companies to maintain stock ledgers using DLT technology will be forthcoming very soon.

FINRA Report on Distributed Ledger Technology and Implications of Blockchain for the Securities Industry

On July 13, 2017, FINRA held a Blockchain Symposium to assess the use of distributed ledger technology (DLT) in the financial industry. The symposium followed FINRA’s January 2017 report on DLT and its implications for the securities industry. In recent years, over $1 billion has been invested by various market participants to explore the use of DLT in the financial services industry. Although the level and speed of disruption to current systems remains debated, it is universally agreed that DLT will be utilized in the securities industry. DLT has the potential to completely change business models and practices and as such, regulators realize the necessity to be actively engaged to prepare for the new regime. On a positive note, FINRA views DLT as having the potential to provide investors with greater access to services and transparency and to provide firms with increased operational efficiencies and enhanced risk management.

Many aspects of FINRA’s rules and areas of responsibilities can be impacted by DLT, including, for example, clearing arrangements (it is thought that DLT can eliminate middle-market participants involved in the clearing process), recordkeeping requirements, and trade and order reporting and processing. In addition, FINRA rules such as those related to financial condition, verification of assets, anti-money laundering, know-your-customer, supervision and surveillance, fees and commissions, payment to unregistered persons, customer confirmations, materiality impact on business operations, and business continuity plans also may to be impacted depending on the nature of the DLT application.

DLT is already being used in the securities markets in the form of initial cryptocurrency offerings (ICO’s) and in states that have passed corporate statutes allowing for the use of the technology to maintain corporate and shareholder records. On July 25, 2017, the SEC issued a report on an investigation related to an ICO by the DAO and statements by the Divisions of Corporation Finance and Enforcement related to the investigative report. Although I will write an in-depth blog on the report and statements in the coming weeks, the SEC concluded that the fundamental tenets related to the definition of a security apply and that cryptocurrenciesand tokens that fall within that definition are securities, subject to SEC regulations, regardless of the title or form they may take. For more on decoding what is a security, see HERE.

FINRA’s report on DLT is broken down into three sections including: (i) overview of distributed ledger technology; (ii) DLT securities industry applications and potential impact; and (iii) factors to consider when implementing DLT. FINRA also discussed regulatory requirements and potential changes related to DLT. I will summarize each section with my usual commentary and input.

Overview of Distributed Ledger Technology

DLT involves a distributed database maintained over a network of computers where information can be added by the network participants. Each added layer of information or data is referred to as a block. The network participants can share and retain identical cryptographically secured information and records.

DLT uses either a public or private network. A public network is open and accessible to anyone that joins, without restrictions. All data stored on a public network is visible to anyone on the network, although it is encrypted. A public network has no central authority and relies solely on the network participants to verify transactions and record data on the network. Algorithm and computational technology is used to protect the integrity of the data.

A private network is limited to individuals and entities that are granted access by a network operator. Access can be tiered with different entities being allowed differing levels of authority to transact and view data. In the financial services industry, it is likely that networks will be private.

The transactions and data on the network usually represent an underlying asset that may be digital assets, such as cryptosecurities and cryptocurrencies, or a representation of a hard asset stored offline (a token representing an interest in a gold bar, for example). Assets on a DLT network are cryptographically secured using public and private key combinations. The public key combination allows access to the network itself, and the private key is for access to the asset itself and is held by the asset holder or its agent.

A transaction may be initiated by any party on the network that holds assets on that network. When a transaction is initiated, it is verified using a predetermined process that can be either consensus-based or proof-of-work based, although new verification processes are being explored. In layman’s terms, the verification process is based on computer computations. The settlement of the transaction is occurs when verification is completed. Currently this can occur immediately or take a few hours.

Once verified, a transaction is “cryptographically hashed” and forms a permanent record on the DLT network. Records are time-stamped and displayed sequentially to all parties with network access. Currently, historical records cannot be edited or changed, though technology is being developed to change that.

DLT Securities Industry Applications and Potential Impact

Currently, market participants are experimenting with several uses of DLT within the market infrastructure and ecosystem. DLT can be used in specific markets, such as debt, equity and derivatives, and in specific market functions, such as clearing. Many discrete applications exist for the use of DLT, including, for example, clearing arrangements, recordkeeping requirements, and trade and order reporting and processing. In addition, DLT can impact financial condition recordkeeping and reporting, verification of assets, anti-money laundering, know-your-customer, supervision and surveillance, fees and commissions, payment to unregistered persons, customer confirmations, materiality impact on business operations, and business continuity plans.

The most common current use of DLT is related to private company equities. DLT can be used to track transfers, maintain shareholder records and for capitalization tables. Nasdaq has utilized DLT technology to complete and record a private securities transaction using its Nasdaq Linq blockchain ledger technology. The Nasdaq platform allows private companies to use DLT to record and track trading of private securities.

DLT will eventually be used for public company equities, but the regulatory aspects are behind the technology. However, Overstock’s Patrick Byrne has created and launched a private platform to allow for public trading of securities using blockchain, called t0 Technologies. The platform only currently trades Overstock’s digital shares, but as an SEC licensed alternative trading system (ATS), the foundation is in place for utilizing the platform to launch and trade public offerings of third-party securities.

The debt market also sees the benefit of DLT. The current average settlement time for the secondary trading of syndicated loans is approximately a month. The repurchase agreement marketplace is filled with inefficiencies, as is the trading market for corporate bonds. DLT could be used in all aspects of these markets. It is thought that DLT can also be used to automate the derivative marketplace and create greater transparency.

DLT technology is being worked on to create operational processes with the securities industry itself as well, including by creating central repositories of standardized reference data for various securities products, creating efficiencies for all participants. DLT can also centralize identity management functions, on a global scale.

In addition to the centralization of data, DLT can be used to process transactions by using overlaid software. For example, “smart contracts” can be created that would automatically execute agreed-upon terms in a contract based on certain triggering events. Smart contracts can be used for escrow arrangements, collateral management and corporate actions such as dividends and splits.

In addition to discrete areas, DLT can have market-wide impacts as well. One area that is gaining traction is the clearing process. Overstock’s platform is called t0 as a play on the widely used T+2 (formerly T+3) time for settlement. t0 references the immediate clearing and settlement of trades using DLT technology. However, despite the technological abilities, FINRA notes that it is unclear what the ideal settlement time would be for various segments of the securities market. Some market participants advocate for a netting and end-of-day settlement rather than a real-time contemporaneous process.

Real-time settlements would also impact short trading and other hedging transactions, including by market makers. On the positive side, it is thought that real-time settlement will reduce market risk, free up collateral and create overall efficiencies. As FINRA notes, it is likely that considerations related to settlement times will differ based on asset type, volume of transactions, liquidity requirements, impact on market makers and current market efficiencies.

Clearly DLT will increase market transparency. The basis of the technology is a series of blocks with a complete history available for view by network participants. Market participants and the investing public could be provided with access to relevant information on the network without the need to create a new reporting infrastructure. FINRA notes that regulators need to consider the benefits of such total transparency and the counter need to protect privacy, personally identifiable information and trading strategies. Also, consideration must be given to the need to ensure that material information available to a private network does not disadvantage the rest of the public.

DLT has the ability to alter or even eliminate the roles of intermediaries in the securities industry. The process of executing a trade as well as the subsequent settlement and clearing of such trade could be done directly between the issuing company and purchaser or third-party buyers and sellers. In addition, the need for market participants that effectuate transaction netting and maintenance of margin requirements could be reduced or eliminated.

The operational risks associated with the securities markets can be changed including sharing information over a network of multiple entities, the use of private and public keys to obtain access to assets, the use of smart contracts and other automated operations. The very nature of DLT as a shared network creates cybersecurity risks and the need for robust countermeasures.

Factors to Consider When Implementing DLT

As discussed, DLT applications have already impacted the securities industry. Many financial institutions have already established in-house or third-party research teams to build and test DLT networks and applications. FINRA’s report provides a good high-level summary of the obvious factors to consider with implementing DLT technology in capital markets, including governance, operational structure and network security.

Governance

A basis of DLT technology is that it is an open network with no centralized governing power or operator. FINRA notes that although there are benefits to this system, there are also issues, such as how to handle a large volume of transactions effectively. As a result, closed networks have started where participants are pre-vetted trusted parties. In the capital markets, questions will need to be answered related to the operation of the network and who has responsibility for what aspects—for example, who would decide governance and internal controls and procedures, who would enforce these governance rules, who would be responsible for day-to-day operations including addressing system failures or technical issues, how errors would be rectified and conflicts of interests addressed.

Operational Structure

Any DLT Network will need to consider its operational structure including a framework for: (i) network participant access and related onboarding and offboarding procedures; (ii) transaction validation; (iii) asset representation (such as shares of stock); and (iv) data and transparency requirements.

A network will need to establish criteria and procedures for establishing and maintaining participating members and determining their level of access. Controls and procedures will need to address: (i) criteria for participants to gain access to the network; (ii) a vetting and onboarding process including identity verification and user agreements; (iii) an offboarding process for both involuntary offboarding as a result of noncompliance and voluntary offboarding; (iv) monitoring and enforcement procedures for compliance with rules of conduct; (v) establishing various levels of access; and (vi) access for regulators.

Networks will need to determine a method for transaction validation. In the short history of blockchain, there have already been different methodologies. Validation could be consensus-based, single-node verifier or multiple-node verifier. Each method has pros and cons, and the specific algorithms and processes would need to be ferreted out.

On the topic of asset representation, networks will need to determine if the actual asset will be directly issued digitally (which only works for certain assets such as intangibles, stock or agreements representing ownership interests) or issued traditionally and be tokenized on the network. If tokenized, further thought must be given to security, handling loss or theft of the underlying asset, fractionalization issues, handling changes such as reverse or forward stock splits or conversions, and new issuances as some examples.

Likewise, thought must be given to the handling of cash on the network, including the settlement of transactions. In that regard, could tokens become a form of cash and if so, how would they ultimately be converted into established government currencies? Ownership in almost any asset could also be tokenized (such as diamonds, gold, precious metals, art, etc.), creating issues of custodianship and security for the underlying asset. Intangible assets would be relatively easy to tokenize. Fungible assets would be easier than non-fungible assets, with unique assets being the most difficult.

A network will need controls and processes related to data transparency including public or shared information versus private information.

Network Security

In addition to the security of the underlying asset, there are security concerns with the network itself. The issue is more complex due to the decentralized nature of, and global access and participants to, the network. A DLT Network must have security for external and internal risks while maintaining the privacy of personal information for network participants.

Network participants will need to consider: (i) how DLT fits within their current recordkeeping framework including maintenance and backup systems; (ii) cybersecurity issues, including hacking, phishing, malware and other forms of threats and program and testing requirements; (iii) updating written supervisory procedures and policy procedures; and (iv) business controls for identity and transaction verification and fraud prevention.

Regulatory Considerations

Broker-dealers are currently exploring issuing and trading securities, facilitating automated actions such as dividend payments and maintaining transaction records on a DLT network. These areas are regulated by both the SEC and FINRA. The FINRA report points out the potential for a “paradigm shift for several traditional processes in the securities industry through the development of new business models and new practices incorporating DLT” that requires regulatory attention.

I personally believe this shift will occur in a shorter period of time than some others predict. I can see a time in the not-too-distant future where the role of transfer agents is minimalized or completely changed to a reviewer of opinion letters for legend removals; the DTC will be drastically changed and much less powerful; there will no longer be a separation between clearing firms and introducing brokers and all trades will clear instantaneously (t+0).

The FINRA report specifically discusses some major areas of consideration including: (i) customer funds and securities; (ii)

Customer Funds and Securities

DLT will create new ways to hold customer funds and securities and thus custodial changes. Broker-dealers that hold funds and securities must generally comply with Exchange Act Rule 15c3-3, which generally requires the broker to maintain physical possession or control over the customer’s fully paid and excess margin securities. Where funds and securities are purely digital, such as cryptosecurities, consideration will need to be made over how they are accounted for and who has the obligation. In addition, certain activities and access levels could amount to “receiving, delivering, holding or controlling customer assets” such as having access to a private key code for a customer.

Also potentially implicated in this area are Exchange Act Rule 15c3-1 related to net capital requirements, FINRA Rule 4160 on verification of assets and Exchange Act Rule 17a-13 related to quarterly security accounts.

Broker-Dealer Net Capital

Exchange Act Rule 15c3-1 requires a firm to maintain a minimum level of net capital at all times. The FINRA Rule 4100 series sets forth the rules and requirements for complying with net capital requirements including calculations and which assets are allowable or non-allowable within those calculations. Regulations need to address how cryptosecurities, digital currency, and tokens in general will be accounted for, for purposes of net capital calculations.

Books and Records Requirements

Exchange Act Rule 17a-3 and 17a-4 and FINRA Rule 4511 regulate book and record requirements for broker-dealers. DLT allows books and records to be maintained on the network itself, though consideration must be made as to how this will comply with regulations, and what changes need to be made with the regulations to update for the new technology.

Clearance and Settlement

It is my view that DLT could have the biggest impact on clearance and settlement from a pure industry disruption viewpoint. FINRA notes, “Depending on how trade execution and settlement is ultimately structured, broker-dealers and other market participants may wish to consider whether any of their activities in the DLT environment meet the definition of a clearing agency and whether corresponding clearing agency registration requirements under Section 17A of the Exchange Act would be applicable.”

In addition, as mentioned, DLT could eliminate the distinction between introducing and clearing brokers and the corresponding carrying agreement rules.

Anti-Money Laundering and Customer Identification Programs

DLT allows for global and anonymous participation, and accordingly practices and regulations will need to address anti-money laundering (AML) and customer identification obligations (CIP). The Bank Secrecy Act of 1970 requires controls and procedures to detect and prevent money laundering. FINRA Rule 3310 addresses AML obligations. For more on this topic, see HERE.

In addition, FINRA Rule 2090, the Know Your Customer (KYC) rule, requires firms to “use reasonable diligence, in regard to the opening and maintenance of every account, to know (and retain) the essential facts concerning every customer and concerning the authority of each person acting on behalf of such customer.” Technology is already being explored to centralize identity management functions such that once a customer identity is verified, the information can be shared with all network participants. Obviously this would greatly streamline processes for broker-dealers and customers alike.

It is likely that DLT technology will surpass regulatory changes in the AML/CIP/KYC sectors. The FINRA report notes that the current rules allow a firm to outsource functions to third parties, but not overall responsibility. Accordingly, a firm could utilize DLT technology for these functions now if they can fashion internal controls and procedures that comply with the ultimate rule responsibilities.

Customer Data Privacy

Broker-dealers have an obligation to protect personal customer information (Regulation S-P). The rules also require that a firm provide an annual notice to customers related to the protection, and sharing, of their personal information. DLT by nature will include customer information and transaction histories that will be available to network participants. Regulations, as well as internal controls and procedures, will need to adapt for DLT technology.

Trade and Order Reporting Requirements

FINRA regulates the trading and order reporting requirements for the over-the-counter (OTC Markets) and requires certain reports to a centralized Securities Information Processor for listed securities. DLT may be soon be used for the facilitation of OTC Markets equity transactions. This may involve tokenizing existing securities and trading on a different network. FINRA Rule 6100 Series (Quoting and Trading in NMS Stock), Rule 6400 Series (Quoting and Trading on OTC Equity Securities), Rule 4550 Series (Alternative Trading Systems) and Rule 5000 Series governing offering and trading standards and practices would all be implicated. I note that t0 Technologies has registered as an ATS.

Supervision and Surveillance

DLT networks will present new and unique challenges related to maintaining supervisory rules and procedures as well as surveillance systems themselves. This area includes the ability to review customer accounts and correct order errors. Like other areas of DLT technology, centralized systems available to all network participants are being developed that can perform some of these functions.

Fees and Commissions

Certain additional fees may be necessary for a DLT network, such as wallet management, key management and on-boarding, whereby other areas may reduce fees as centralization brings economies. In addition, consideration must be given to the payment of fees to third parties that are not registered broker-dealers but that provide DLT outsource functions.

Customer Confirmations and Account Statements

Exchange Act Rule 10b-10 requires firms to provide customers with certain records including trade confirmations and account statements. DLT technology will change the flow and availability of information.

Material Impact on Business Operations

NASD Rule 1017(a)(5) requires broker-dealers that undergo a material change in business operations to file a Continuing Membership Application (CMA) prior to implementing the material change. Many of the aspects of DLT technology may result in a material change and broker-dealers need to consider the need to file 1017 applications.

Business Continuity Plans

FINRA Rule 4370 requires broker-dealers to maintain business continuity plans. Firms must consider the impact of DLT technology on their plans and update accordingly.