The CFPB’s New Proposed Rule to Protect Crypto Consumers from Theft

By Mauro M. Wolfe and Carolina Goncalves

Like banks, cryptocurrency firms are not immune from attacks designed to steal consumer assets, which attacks reportedly caused billions in crypto losses for consumers in 2024 alone. As a result, the US Consumer Financial Protection Bureau (CFPB) proposed a rule intended to protect crypto users from illicit activities by requiring cryptocurrency firms to reimburse consumers for stolen funds. The Electronic Funds Transfer Act (EFTA) and Regulation E currently limit consumer liability for unauthorized electronic fund transfers (EFTs) and impose investigation and error resolution obligations (e.g., funds in reserve) on financial institutions when notified that a consumer’s funds have been compromised. The proposed rule would provide similar consumer protections in the event of an unauthorized cryptocurrency transfer from an account established primarily for personal, family, or household purposes.

The EFTA and Regulation E apply to an EFT authorizing a financial institution to debit or credit a consumer’s account. The CFPB’s definition of “financial institution” includes nonbank entities that (a) hold a consumer account or (b) issue an access device and agree with a consumer to provide EFT services. The CFPB has also determined that “funds” include digital assets, like stablecoins, that operate as either a medium of exchange or as a means of paying for goods and services. The CFPB’s definition of “account” is also broad enough to include nonbank asset accounts (e.g., accounts on gaming platforms, virtual currency wallets) with features similar to those of more traditional deposit or savings accounts, such as paying for goods or services from multiple merchants, having the ability to withdraw funds or obtain cash, or conducting person-to-person transfers.

The proposed rule intends to establish a more consistent application of the EFTA and Regulation E to a range of “emergent payment mechanisms” by requiring “market participants offering new types of payment mechanisms to facilitate electronic fund transfers [to] understand whether their account meets the definition of ‘other consumer asset account,’ including whether it is established for ‘personal, family, or household purposes.’” The proposed rule is open to public comments until March 31.

We anticipate material changes to digital asset and blockchain policy when the next chapter begins under the Trump administration. The broader question for consideration is where consumer protection will fit within crypto regulations. We hope for the benefit of retail investors that it is of paramount importance.

Virtual Currency Exchanges, Blockchain and Privacy Rights Under the U.S. Constitution

By Mauro M. Wolfe and Carolina Goncalves

Virtual currency exchanges and blockchain technology continue to raise novel questions for U.S. courts, including in the application or limitations of privacy rights to blockchain users under criminal prosecution. In the latest development, a federal appeals court has ruled that defendants do not have the type of privacy protections over crypto transactions that require law enforcement to first secure a search warrant. In short, a regular grand jury subpoena was sufficient to obtain the crypto data, resulting in a solid victory for prosecutors.

In United States v. Gratkowski, 964 F.3d 307 (5th Cir. 2020), the Fifth Circuit Court of Appeals held that there is no privacy interest in both Bitcoin blockchain data and Bitcoin transaction history to justify the requirement that law enforcement secure a search warrant first.

In Gratkowski, the Fifth Circuit analyzed whether the Fourth Amendment protected a criminal defendant’s privacy interests in data located on a virtual currency exchange and the virtual currency exchange’s blockchain. The background is that defendant Gratkowski became the subject of a federal investigation after using Bitcoin to pay for online child pornography. Federal agents were able to identify Gratkowski after analyzing the publicly viewable Bitcoin blockchain to identify a cluster of Bitcoin addresses controlled by the website. The agents then used that information to serve a routine grand jury subpoena on Coinbase for all information on the Coinbase customers whose accounts had sent Bitcoin to any of the addresses in the website’s cluster. The agents identified Gratkowski as one of these customers and thereafter, based on the information from the grand jury subpoena, obtained a search warrant for evidence in his home, where they obtained additional incriminating evidence.

Gratkowski filed a motion to suppress the evidence obtained through the search warrant, arguing that the original subpoena to Coinbase and the blockchain analysis violated his constitutional rights against unreasonable searches under the Fourth Amendment. In effect, the defendant argued that law enforcement needed a search warrant for his records located at Coinbase. The trial court denied the motion, and Gratkowski appealed the decision to the Fifth Circuit.

On appeal, Gratkowski argued that he had a reasonable expectation of privacy in his information held in the Bitcoin blockchain and Coinbase records by comparing it to cell-site location information (“CSLI”), which the U.S. Supreme Court has held to implicate constitutional privacy concerns such that a search warrant is required. The appellate court disagreed with Gratkowski and held that he lacked a privacy interest in both the Bitcoin blockchain data and his Bitcoin transaction history on Coinbase because that information is more analogous to bank records, which are not subject to privacy protections.

In reaching its conclusion, the court applied the third-party doctrine, which provides that a person generally does not have a legitimate expectation of privacy in information he voluntarily turns over to third parties. Specifically, the appellate court found that “Coinbase is a financial institution, a virtual currency exchange, that provides Bitcoin users with a method for transferring Bitcoin. The main difference between Coinbase and traditional banks… is that Coinbase deals with virtual currency while traditional banks deal with physical currency. But both are subject to the Bank Secrecy Act as regulated financial institutions.” The court further focused on “the nature of the information and the voluntariness of the exposure” in concluding that it “weigh[ed] heavily against finding a privacy interest in Coinbase records.” Unlike CSLI, information on the Bitcoin blockchain and held by Coinbase is limited to transaction amounts and identifying information about sender and beneficiary, and each Bitcoin transaction is recorded in a publicly available blockchain accessible to every Bitcoin user. Additionally, transacting Bitcoin through Coinbase or other virtual currency exchange requires the user to perform an “affirmative act” in transacting through a third-party intermediary. Therefore, Gratkowski did not have a reasonable expectation of privacy in either the Bitcoin blockchain data or his Coinbase transaction history requiring law enforcement to obtain a search warrant.

Other U.S. courts have relied on the Gratkowski court’s conclusion that account information and records obtained by the federal government from virtual currency exchanges are not subject to constitutional privacy protections.[1]

We will continue monitoring Gratkowski and its progeny and whether these issues ultimately come before the U.S. Supreme Court.


[1] See, e.g., Harper v. Werfel, 118 F.4th 100 (1st Cir. 2024); United States v. Patel, No. 23-CR-166 (DLF), 2024 WL 1932871 (D.D.C. May 1, 2024); Harper v. Rettig, 675 F. Supp. 3d 190 (D.N.H. 2023), aff’d sub nom. Harper v. Werfel, 118 F.4th 100 (1st Cir. 2024); United States v. Harris, No. 1:21-CR-74-6, 2023 WL 3475406 (S.D. Ohio May 15, 2023).

The Growth of RWA Tokenization

By Joseph E. Silvia and Carolina Goncalves

The tokenization of real-world assets (RWAs) is a growing industry that, as of September 2024, was valued at approximately $118.6 billion. RWA tokenization is projected to become a trillion-dollar global industry by 2030, thanks to the development of infrastructure to facilitate the ownership, exchange and transfer of RWA tokens by some of the largest global financial institutions.

What is asset tokenization?

Asset tokenization is the transformation of physical assets, like real estate, art, bonds, money market funds (MMFs) and stocks, into digital tokens that can be bought, held or traded on a blockchain. The tokens represent ownership or a fractional share in an asset, which facilitates its exchange or transfer. Unlike cryptocurrency, tokenized assets have underlying value that is not necessarily driven by market demand, utility and speculation.

Asset tokenization, together with smart contracts, automate processes and increase transparency and security in the ownership and trade of assets. Smart contracts on the blockchain manage asset ownership and transaction details, such as divisibility and transfer restrictions. Additionally, asset tokenization and smart contracts may improve liquidity, transparency, availability, accuracy, programmability and reduce fraud through blockchain technology.

How does RWA tokenization work?

By way of example, the tokenization of a piece of artwork introduces the ability to invest in the artwork and own a fractional share, rather than purchasing the entire asset. If the artwork is priced at $10,000, for example, asset tokenization allows an investor to purchase the asset in fractions (e.g., 1000 fractional assets of $10 each).

Once the owner’s rights over the artwork are verified, the artwork would be transferred to a blockchain-based platform that supports tokenization, and the asset’s value would be assessed and finalized. The artwork would then be divided into tokens that can be purchased and traded by investors pursuant to the applicable smart contracts.

The future of RWA tokenization

RWA tokenization similarly applies to financial products like MMFs. Major financial institutions like Visa, JPMorgan and Deutsche Bank are implementing platforms for the tokenization of different RWAs, including MMFs. For example, in October 2023, JPMorgan announced its Tokenized Collateral Network (TCN), which is a live product that allows investors to tokenize their MMF shares and collateralize them.

Deutsche Bank announced in May 2024 that it joined the Monetary Authority of Singapore’s Project Guardian, a collaborative initiative involving global policymakers from different countries like the UK and Switzerland, to test a blockchain platform to service tokenized and digital funds.

On October 3, 2024, Visa launched a Visa Tokenized Asset Platform (VTAP). VTAP, which is currently in sandbox mode, allows for the issuance and management of various fiat-backed digital assets like stablecoins, deposits and central bank digital currencies (CBDCs), and will cater to banks by offering a comprehensive infrastructure for securely minting, transferring and settling digital assets across public and permissioned blockchains.

Of course, there are potential challenges like regulatory uncertainty and smart contract vulnerabilities. That said, the increasing prevalence of RWA tokenization among investors and financial institutions in the U.S. and abroad will likely push for more certainty and stability in the industry, further driving its growth.


Hong Kong Continues to Promote a Pro-Crypto Stance with a New Enhanced Regulatory Framework

By Mauro Wolfe and Carolina Goncalves

In the game of which jurisdiction will become the crypto global king, Hong Kong is the latest aspiring fintech hub to announce enhancements to its digital asset regulation framework. No doubt this change is designed to give Hong Kong an edge in the global crypto markets.

In July 2024, the Hong Kong Monetary Authority (HKMA) announced its plans to enhance its digital asset regulatory framework by introducing legislation related to stablecoins, a type of cryptocurrency tied to stable assets like fiat currencies, within the following 18 months. The HKMA is carrying out sandbox testing and plans to introduce stablecoins by the end of 2024.

HKMA launched the sandbox in March 2024 as “part of the HKMA’s efforts in facilitating the sustainable and responsible development of stablecoin ecosystem in Hong Kong.” The sandbox participants are required to “propose concrete use cases for the stablecoin to help address pain points in economic activities and create value and new opportunities for [Hong Kong’s] economy and financial services.” The use cases will involve supply chain management, applications in capital markets and digital asset trading, including cross-border trade payments. The sandbox participants will then provide their use case feedback to regulators who will use the data to formulate a “fit-for-purpose and risk-based regulatory regime.” Where the use case involves cross-border payments, the sandbox participants must ensure that both they and their overseas partners strictly comply with the legal and regulatory requirements of the applicable jurisdictions, in addition to ensuring that their stablecoin issuance process complies with the sandbox requirements and Hong Kong laws. The participants will be prohibited from soliciting or handling funds from the public for sandbox activities.

On July 18, 2024, the HKMA announced the first participants in its stablecoin issuer sandbox. They include a company linked to significant Chinese e-commerce retailer Jingdong Coinlink Technology; RD InnoTech Limited, a local fintech firm; and a coalition of Standard Chartered Bank, venture capital firm Animoca Brands and Hong Kong Telecommunications. The sandbox participants will undergo an assessment process as they test their respective stablecoin operational plans within a limited scope and in a risk-controlled environment specified by the HKMA. The HKMA will announce on its website any future participants as it continues to process sandbox applications.

These developments follow a two-month public consultation period that received 108 stakeholder submissions, including from market participants, industry associations and professional organizations. The consensus was that a regulatory regime is necessary for stablecoin issuers to both manage potential monetary and financial stability risks and also ensure transparent and effective oversight.

Hong Kong’s enhanced regulatory framework is aligned with developments in international standards and practices, such as the expectations of the G20’s Financial Stability Board, in the virtual asset ecosystem, including the issuance of stablecoin. The new framework is intended to (1) complement existing regulatory measures for virtual asset trading platforms, (2) make digital asset transactions more secure through regulatory oversight and enforcement, (3) encourage more innovative financial products in Hong Kong, (4) foster innovation and (5) attract global fintech talent.

A central feature of cryptocurrency is the development of borderless commerce. Regardless of which jurisdiction becomes the global crypto king, the cross-border nature of crypto business development is here to stay. Duane Morris will continue to monitor the global legislative landscape as the digital asset continues to mature.

© 2009- Duane Morris LLP. Duane Morris is a registered service mark of Duane Morris LLP.

The opinions expressed on this blog are those of the author and are not to be construed as legal advice.

Proudly powered by WordPress