The CFPB’s New Proposed Rule to Protect Crypto Consumers from Theft

By Mauro M. Wolfe and Carolina Goncalves

Like banks, cryptocurrency firms are not immune from attacks designed to steal consumer assets, which attacks reportedly caused billions in crypto losses for consumers in 2024 alone. As a result, the US Consumer Financial Protection Bureau (CFPB) proposed a rule intended to protect crypto users from illicit activities by requiring cryptocurrency firms to reimburse consumers for stolen funds. The Electronic Funds Transfer Act (EFTA) and Regulation E currently limit consumer liability for unauthorized electronic fund transfers (EFTs) and impose investigation and error resolution obligations (e.g., funds in reserve) on financial institutions when notified that a consumer’s funds have been compromised. The proposed rule would provide similar consumer protections in the event of an unauthorized cryptocurrency transfer from an account established primarily for personal, family, or household purposes.

The EFTA and Regulation E apply to an EFT authorizing a financial institution to debit or credit a consumer’s account. The CFPB’s definition of “financial institution” includes nonbank entities that (a) hold a consumer account or (b) issue an access device and agree with a consumer to provide EFT services. The CFPB has also determined that “funds” include digital assets, like stablecoins, that operate as either a medium of exchange or as a means of paying for goods and services. The CFPB’s definition of “account” is also broad enough to include nonbank asset accounts (e.g., accounts on gaming platforms, virtual currency wallets) with features similar to those of more traditional deposit or savings accounts, such as paying for goods or services from multiple merchants, having the ability to withdraw funds or obtain cash, or conducting person-to-person transfers.

The proposed rule intends to establish a more consistent application of the EFTA and Regulation E to a range of “emergent payment mechanisms” by requiring “market participants offering new types of payment mechanisms to facilitate electronic fund transfers [to] understand whether their account meets the definition of ‘other consumer asset account,’ including whether it is established for ‘personal, family, or household purposes.’” The proposed rule is open to public comments until March 31.

We anticipate material changes to digital asset and blockchain policy when the next chapter begins under the Trump administration. The broader question for consideration is where consumer protection will fit within crypto regulations. We hope for the benefit of retail investors that it is of paramount importance.

Virtual Currency Exchanges, Blockchain and Privacy Rights Under the U.S. Constitution

By Mauro M. Wolfe and Carolina Goncalves

Virtual currency exchanges and blockchain technology continue to raise novel questions for U.S. courts, including in the application or limitations of privacy rights to blockchain users under criminal prosecution. In the latest development, a federal appeals court has ruled that defendants do not have the type of privacy protections over crypto transactions that require law enforcement to first secure a search warrant. In short, a regular grand jury subpoena was sufficient to obtain the crypto data, resulting in a solid victory for prosecutors.

In United States v. Gratkowski, 964 F.3d 307 (5th Cir. 2020), the Fifth Circuit Court of Appeals held that there is no privacy interest in both Bitcoin blockchain data and Bitcoin transaction history to justify the requirement that law enforcement secure a search warrant first.

In Gratkowski, the Fifth Circuit analyzed whether the Fourth Amendment protected a criminal defendant’s privacy interests in data located on a virtual currency exchange and the virtual currency exchange’s blockchain. The background is that defendant Gratkowski became the subject of a federal investigation after using Bitcoin to pay for online child pornography. Federal agents were able to identify Gratkowski after analyzing the publicly viewable Bitcoin blockchain to identify a cluster of Bitcoin addresses controlled by the website. The agents then used that information to serve a routine grand jury subpoena on Coinbase for all information on the Coinbase customers whose accounts had sent Bitcoin to any of the addresses in the website’s cluster. The agents identified Gratkowski as one of these customers and thereafter, based on the information from the grand jury subpoena, obtained a search warrant for evidence in his home, where they obtained additional incriminating evidence.

Gratkowski filed a motion to suppress the evidence obtained through the search warrant, arguing that the original subpoena to Coinbase and the blockchain analysis violated his constitutional rights against unreasonable searches under the Fourth Amendment. In effect, the defendant argued that law enforcement needed a search warrant for his records located at Coinbase. The trial court denied the motion, and Gratkowski appealed the decision to the Fifth Circuit.

On appeal, Gratkowski argued that he had a reasonable expectation of privacy in his information held in the Bitcoin blockchain and Coinbase records by comparing it to cell-site location information (“CSLI”), which the U.S. Supreme Court has held to implicate constitutional privacy concerns such that a search warrant is required. The appellate court disagreed with Gratkowski and held that he lacked a privacy interest in both the Bitcoin blockchain data and his Bitcoin transaction history on Coinbase because that information is more analogous to bank records, which are not subject to privacy protections.

In reaching its conclusion, the court applied the third-party doctrine, which provides that a person generally does not have a legitimate expectation of privacy in information he voluntarily turns over to third parties. Specifically, the appellate court found that “Coinbase is a financial institution, a virtual currency exchange, that provides Bitcoin users with a method for transferring Bitcoin. The main difference between Coinbase and traditional banks… is that Coinbase deals with virtual currency while traditional banks deal with physical currency. But both are subject to the Bank Secrecy Act as regulated financial institutions.” The court further focused on “the nature of the information and the voluntariness of the exposure” in concluding that it “weigh[ed] heavily against finding a privacy interest in Coinbase records.” Unlike CSLI, information on the Bitcoin blockchain and held by Coinbase is limited to transaction amounts and identifying information about sender and beneficiary, and each Bitcoin transaction is recorded in a publicly available blockchain accessible to every Bitcoin user. Additionally, transacting Bitcoin through Coinbase or other virtual currency exchange requires the user to perform an “affirmative act” in transacting through a third-party intermediary. Therefore, Gratkowski did not have a reasonable expectation of privacy in either the Bitcoin blockchain data or his Coinbase transaction history requiring law enforcement to obtain a search warrant.

Other U.S. courts have relied on the Gratkowski court’s conclusion that account information and records obtained by the federal government from virtual currency exchanges are not subject to constitutional privacy protections.[1]

We will continue monitoring Gratkowski and its progeny and whether these issues ultimately come before the U.S. Supreme Court.


[1] See, e.g., Harper v. Werfel, 118 F.4th 100 (1st Cir. 2024); United States v. Patel, No. 23-CR-166 (DLF), 2024 WL 1932871 (D.D.C. May 1, 2024); Harper v. Rettig, 675 F. Supp. 3d 190 (D.N.H. 2023), aff’d sub nom. Harper v. Werfel, 118 F.4th 100 (1st Cir. 2024); United States v. Harris, No. 1:21-CR-74-6, 2023 WL 3475406 (S.D. Ohio May 15, 2023).

Hong Kong Continues to Promote a Pro-Crypto Stance with a New Enhanced Regulatory Framework

By Mauro Wolfe and Carolina Goncalves

In the game of which jurisdiction will become the crypto global king, Hong Kong is the latest aspiring fintech hub to announce enhancements to its digital asset regulation framework. No doubt this change is designed to give Hong Kong an edge in the global crypto markets.

In July 2024, the Hong Kong Monetary Authority (HKMA) announced its plans to enhance its digital asset regulatory framework by introducing legislation related to stablecoins, a type of cryptocurrency tied to stable assets like fiat currencies, within the following 18 months. The HKMA is carrying out sandbox testing and plans to introduce stablecoins by the end of 2024.

HKMA launched the sandbox in March 2024 as “part of the HKMA’s efforts in facilitating the sustainable and responsible development of stablecoin ecosystem in Hong Kong.” The sandbox participants are required to “propose concrete use cases for the stablecoin to help address pain points in economic activities and create value and new opportunities for [Hong Kong’s] economy and financial services.” The use cases will involve supply chain management, applications in capital markets and digital asset trading, including cross-border trade payments. The sandbox participants will then provide their use case feedback to regulators who will use the data to formulate a “fit-for-purpose and risk-based regulatory regime.” Where the use case involves cross-border payments, the sandbox participants must ensure that both they and their overseas partners strictly comply with the legal and regulatory requirements of the applicable jurisdictions, in addition to ensuring that their stablecoin issuance process complies with the sandbox requirements and Hong Kong laws. The participants will be prohibited from soliciting or handling funds from the public for sandbox activities.

On July 18, 2024, the HKMA announced the first participants in its stablecoin issuer sandbox. They include a company linked to significant Chinese e-commerce retailer Jingdong Coinlink Technology; RD InnoTech Limited, a local fintech firm; and a coalition of Standard Chartered Bank, venture capital firm Animoca Brands and Hong Kong Telecommunications. The sandbox participants will undergo an assessment process as they test their respective stablecoin operational plans within a limited scope and in a risk-controlled environment specified by the HKMA. The HKMA will announce on its website any future participants as it continues to process sandbox applications.

These developments follow a two-month public consultation period that received 108 stakeholder submissions, including from market participants, industry associations and professional organizations. The consensus was that a regulatory regime is necessary for stablecoin issuers to both manage potential monetary and financial stability risks and also ensure transparent and effective oversight.

Hong Kong’s enhanced regulatory framework is aligned with developments in international standards and practices, such as the expectations of the G20’s Financial Stability Board, in the virtual asset ecosystem, including the issuance of stablecoin. The new framework is intended to (1) complement existing regulatory measures for virtual asset trading platforms, (2) make digital asset transactions more secure through regulatory oversight and enforcement, (3) encourage more innovative financial products in Hong Kong, (4) foster innovation and (5) attract global fintech talent.

A central feature of cryptocurrency is the development of borderless commerce. Regardless of which jurisdiction becomes the global crypto king, the cross-border nature of crypto business development is here to stay. Duane Morris will continue to monitor the global legislative landscape as the digital asset continues to mature.

District Judge Imposes $125 million fine on Ripple Labs, Demanding No Future Securities Law Infringements after 3-plus year battle with SEC

By Mauro Wolfe

In the ongoing legal saga between Ripple Labs Inc. and the SEC, U.S. District Judge Analisa Torres of the Southern District of New York imposed a $125 million fine on Ripple Labs, a provider of digital asset infrastructure for financial services, and restrained the company from violating U.S. securities laws in the future.

The SEC v. Ripple Labs case is a significant precedent in the cryptocurrency and commercial finance legal communities. The dispute centered around whether Ripple’s sale of XRP – a cryptocurrency developed, issued and partially managed by Ripple – constituted an unregistered securities offering. The SEC contended that XRP should be classified as a security, and therefore Ripple should have registered its transactions with the SEC. However, Ripple argued that XRP is a digital currency and not a security, asserting that the SEC’s application of securities laws to XRP was inappropriate and harmful to innovation in the cryptocurrency space.

On December 22, 2020, the SEC filed an action against Ripple and two of its executives for allegedly using an unregistered digital asset security to raise funds. The SEC charged the defendants with violating the registration provisions of the Securities Act of 1933, seeking injunctive relief, disgorgement with prejudgment interest and civil penalties.

The SEC’s lawsuit stated that Ripple and the two executives started raising funds in 2013 by selling XRP digital assets to investors in the United States and other countries in an unregistered, ongoing digital asset securities offering. The term “unregistered” is key to the SEC’s allegations because the agency’s argument centered around the nature of XRP as digital asset securities and not as a simple cryptocurrency. Additionally, Ripple allegedly gave out billions of XRP in exchange for activities like market-making and labor, contrary to a monetary compensation. In consequence, the complaint alleged that the defendants violated the federal securities laws’ registration requirements by not registering or not meeting any of the exemptions to register these kind of transactions.

Ripple disagreed, arguing that it was not adequately notified of its purported violations of registration regulations. Reluctant to categorize XRP as a security, Ripple defiantly challenged the SEC in federal court. Ultimately, the court was not persuaded with this argument entirely.

In Judge Torres’ decision on July 13, 2023, the court held that XRP “is not in and of itself ‘a contract, transaction, or scheme’ that embodies the Howey requirements of an investment contract.” Ultimately, the court found that Ripple violated the securities laws in its transactions aimed to offer XRP to institutional buyers such as hedge funds. As we have written in other blog posts, the court held that the secondary market transactions were not securities. Other courts have not followed Judge Torres’ analysis as to secondary markets. The disagreement between trial level courts in various cases leaves ultimate resolution on the application of the Howey test to cryptocurrencies to the federal appellate courts and most likely the U.S. Supreme Court, unless congressional legislation arrives first.

Following the summary judgment order from a year ago, the District Court issued the final judgment on August 7, 2024, after nearly four years of litigation. The court’s summary judgment found that some of Ripple’s transactions involving the exchange or sale of XRP were not considered in violation of the securities laws. However, the court held that XRP tokens sold to institutional investors were in violation of Howey, and awarded the SEC with $125 million civil monetary penalty and issued an injunction barring the company from future violations of Section 5 of the Securities Act.

This decision highlights the ongoing challenges that crypto markets face with regard to U.S. law and regulation. In effect, law and regulation lag behind the pace of industry.

The murky U.S. legal and regulatory landscape makes for challenges for the crypto markets and its participants. While other foreign countries are developing new laws and regulations, the sector waits for the creation of the U.S. crypto framework.

Once that happens, the United States may yet have a chance to be the leading crypto market in the world.

Special thanks to law clerk Laila Salame Khouri for her assistance with this blog post.

Coinbase Effort to Dismiss SEC Suit Falls Short

A New York federal court has held that the SEC sufficiently pleaded that Coinbase—a well-known cryptocurrency exchange, broker, and clearing agency—operated as an unregistered intermediary of securities and engaged in the unregistered offer and sale of securities through its crypto staking program.  In a partial win for Coinbase (and possibly others offering wallet services), the court dismissed the SEC’s claim that Coinbase acted as an unregistered broker by offering a crypto wallet application to its customers.  The case is Sec. and Exch. Comm’n v. Coinbase, Inc., 23 Civ. 4738 (S.D.N.Y. Mar. 27, 2024).

This decision has important ramifications for all players in the crypto market, as it clears the way for the SEC to continue to act as the primary regulator of crypto in the absence of further regulatory direction from Congress and allows the SEC to continue aggressive enforcement in the crypto space.

Coinbase operates as one of the world’s largest crypto trading platforms that offers additional services that complement its crypto trading operations.  Coinbase “Prime” is a service that institutional customers can use to execute large volumes of crypto trades through both Coinbase and third-party trading platforms.  Coinbase “Wallet” is a self-custodial wallet that allows customers to store crypto assets on their own computers or mobile devices with the ability to connect to decentralized exchanges to trade these assets.  Coinbase’s staking program allows customers to earn financial rewards (usually in the form of cryptocurrency) for transferring custody of assets to Coinbase, who in turn takes a commission from the staking profits and returns the balance to the customer.

On June 6, 2023, the SEC brought a lawsuit against Coinbase under the Securities Act of 1933 and the Securities Exchange Act of 1934.  The SEC alleged that Coinbase violated the law by acting as an unregistered securities broker, an unregistered securities exchange, and an unregistered securities clearing agency.  The SEC named a dozen popular crypto assets (including Solana and Chiliz) and argued that these assets met the legal definition of a “security” (in SEC parlance, an “investment contract”).  Thus, the SEC alleged that Coinbase violated the law by working with these assets and not registering with the SEC.  Coinbase moved to dismiss the SEC’s complaint, contending primarily that none of the crypto assets named by the SEC met the definition of an investment contract and Coinbase therefore was not subject to federal securities laws.

The decision, authored by Judge Katherine Polk Failla in the Southern District of New York, first held that the SEC was not violating regulatory and administrative law by instituting its enforcement action against Coinbase.  The court then applied the well-known Howey test for investment contracts and held that the SEC plausibly alleged that at least some of the crypto asset transactions on Coinbase’s platform (including those on its Prime service) constituted investment contracts.  After finding that the SEC plausibly alleged that Coinbase facilitated transactions in securities, the Court declined to dismiss the majority of the SEC’s claims alleging that Coinbase violated the federal securities laws. Additionally, the Court held that the SEC adequately alleged that Coinbase’s crypto staking program was an investment contract subject to federal securities law.

Notably, the court rejected Coinbase’s argument that secondary market transactions–those that involve an asset purchaser buying crypto assets from someone other than the original issuer–were excluded from the definition of investment contracts.  Coinbase relied, among other cases, on the July 2023 decision in SEC v. Ripple by another judge in the Southern District of New York, which held that Ripple’s sales of XRP (a crypto token) on secondary platforms did not constitute securities transactions (SEC v. Ripple also held that sales of XRP to institutional investors did constitute securities transactions).

Without directly contradicting the Ripple decision, Judge Failla ruled that crypto transactions on the secondary market cannot be categorically excluded from constituting investment contracts.  The Howey test makes no such distinction and Judge Failla found little logic to the attempt to draw a distinction between investors who buy directly from the issuer and those who purchase on the secondary market in reliance on “promises and offers made by issuers to the investing public.”  In her opinion, Judge Failla cited favorably to the December 2023 decision SEC v. Terraform Labs, from yet another judge of the Southern District of New York, which rejected many of the same arguments Coinbase raised regarding transactions on the secondary market.

The court did, however, dismiss the SEC’s claim that Coinbase conducted unregistered securities brokerage activity through its “Wallet” application.  The court noted that the Wallet application did not undertake routing activities traditionally carried out by securities brokers, including directing how and when to execute trades.  Indeed, the SEC’s allegations conceded that Coinbase had no control over a user’s crypto assets via the “Wallet” application.  This was ultimately fatal to the SEC’s claim because the SEC failed to adequately allege that Coinbase was acting as a broker.

The Coinbase decision provides the SEC with a win in two areas.  First, the court held that the SEC’s aggressive crypto enforcement actions did not violate federal or regulatory law, paving the way for the SEC to continue acting as the primary U.S. crypto regulator.  Second, the decision held as a matter of law that the SEC adequately alleged that Coinbase’s crypto services dealt in investment contracts.  Finally, the balance of cases within the Southern District of New York has now tipped decidedly in favor of the conclusion that, when the elements of the Howey test are met, there is little distinction to be drawn between investors who buy directly from the issuer and those who purchase on the secondary market.  While the SEC may not necessarily prevail at trial, this opens the door for further crypto enforcement actions and provides a strong basis for such actions to proceed past the pleading stage into the expensive and time-consuming process of discovery and motion practice.

Webinar: U.S. Law Enforcement Targets Growing Global Crypto Market

Duane Morris and Khaitan & Co will present a Zoom webinar, U.S. Law Enforcement Targets Growing Global Crypto Markets: The Tiger in the Grass ‒ What Every Crypto Actor Must Know Now, on Thursday, January 18, 2024, from 4:30 p.m. to 5:30 p.m. IST. (Note: For those attendees located in the U.S., the time for this webinar is Thursday, January 18, 2024, from 6:00 a.m. to 7:00 a.m. Eastern.)

REGISTER

Continue reading “Webinar: U.S. Law Enforcement Targets Growing Global Crypto Market”

Webinar: U.S. Law Enforcement Targets Crypto in Asia: The Tiger in the Grass ‒ What Every Crypto Actor Must Know Now

Duane Morris will present U.S. Law Enforcement Targets Crypto in Asia: The Tiger in the Grass ‒ What Every Crypto Actor Must Know Now on Thursday, November 30, 2023, from 10:00 a.m. to 11:00 a.m. Singapore.

REGISTER

About the Program

Crypto entrepreneurs and their financers and advisers are facing unprecedented enforcement activity from the U.S. government, including the U.S. Securities and Exchange Commission (SEC) and the U.S. Department of Justice (DOJ). The SEC, in particular, has taken an aggressive stance in applying U.S. securities law to internationally based cryptocurrencies, and international players in the crypto market are routinely being called to defend themselves in U.S.-based investigations and U.S. courts.

In this webinar, a Duane Morris team will discuss the basis for the SEC and DOJ’s assertion of jurisdiction over international actors so that crypto players can determine whether their actions may lead to the need to comply with U.S. securities laws. The panel will also discuss the various U.S. laws that could be triggered so that foreign crypto actors become more acquainted with U.S. laws and regulations. The focus of the webinar is to educate crypto players enough so that they understand the risks.

Speakers

  • Mauro Wolfe
  • Ramiro Rodriguez

Moderator

  • Vincent Nolan

Learn more about the event and Duane Morris’ Fintech Group.

Note: For those attendees located in the U.S., the time for this webinar is Wednesday, November 29, 2023, from 10:00 p.m. to 11:00 p.m. Eastern.

© 2009- Duane Morris LLP. Duane Morris is a registered service mark of Duane Morris LLP.

The opinions expressed on this blog are those of the author and are not to be construed as legal advice.

Proudly powered by WordPress