Last month, the Commodity Futures Trading Commission (CFTC) announced settled charges against three decentralized finance (DeFi) protocols for various registration and related violations under the Commodity Exchange Act (CEA) during the relevant period of investigation.  As a result, each entity paid a civil monetary penalty and agreed to cease violations of the CEA.  According to a statement by Commissioner Kristin N. Johnson, these latest settlements are the first time the CFTC charged a DeFi operator (e.g., Opyn, Inc. and Deridex, Inc.) with failing to register as a swap execution facility (SEF) or designated contract market (DCM). Moreover, these latest enforcements against DeFi entities arrive soon after the CFTC’s successful enforcement and default judgment against Ooki DAO, which the CFTC alleged was operating a decentralized blockchain-based software protocol that functioned in a manner similar to a trading platform and was violating the CEA (prior coverage of the Ooki DAO enforcement can be found here).

On July 12, 2023,  U.S. Senators Cynthia Lummis (R-WY) and Kirsten Gillibrand (D-N.Y.) proposed a revised version of their previously introduced crypto regulation bill to create better safeguards for the crypto industry generally while adding new, stronger consumer protection provisions and AML provisions.  The Lummis-Gillibrand bill, also known as the Responsible Financial Innovation Act (“RFIA”), identifies the need for enhanced regulation of digital assets.  The proposal addresses this need, in part, by creating clearly defined regulatory roles for the Securities and Exchange Commission (“SEC”) and the Commodity Futures Trading Commission (“CFTC”), which are two of the leading regulatory bodies currently engaged in regulating the U.S. crypto market, as well as creating a new Customer Protection and Market Integrity Authority self-regulatory organization.  The need for greater clarity in the roles of the CFTC and the SEC and with respect to cryptocurrency regulations generally is certainly timely, given the recent CFTC actions against Blockratize, bZeroX (and its successor Ooki DAO), and others and recent high-profile SEC actions against major crypto exchanges.

Unlike traditional corporate entities with a typical hierarchical structure, a decentralized autonomous organization (“DAO”) – a management structure that uses blockchain technology – functions as a leaderless entity. Without a formal corporate structure, DAOs instead operate by distributing governance rights among persons who hold a specific governance token. Consequently, federal and state courts have been grappling with how to consider a DAO under existing laws that were traditionally interpreted against long-standing corporate entities.

As discussed in a prior post, DAOs allow individuals to organize and coordinate at arms-length, and rely on code (a “protocol”) to govern and execute functions traditionally determined by governing documents, like operating agreements and articles of formation, and undertaken by executives. A DAO’s protocol is committed to a public ledger on a blockchain, which guarantees accessibility and transparency. Each member is granted governance rights – the ability to propose and approve initiatives, called proposals – through a governance token. In light of their unique makeup, DAOs lack centralized leadership and a typical top-down management structure.

Accordingly, parties have debated whether a DAO should be recognized as a general partnership under state corporation laws (i.e., N.Y. P’ship Law §10: “an association of two or more persons to carry on as co-owners a business for profit….”) or, in the case of the Commodity Futures Trading Commission’s (“CFTC”) Ooki DAO enforcement, whether a DAO could be deemed an “unincorporated association” under the Commodity Exchange Act (“CEA”). Following the filing of the CFTC’s enforcement action, it is not surprising that the structure of the Ooki DAO, and the CFTC’s enforcement action against the DAO itself, has garnered a lot of media attention and industry reaction, and has raised novel legal issues.

Several questions have arisen in recent years regarding the potential liability of DAO members:

  • While DAOs are emerging as a viable structure in the DeFi space, does their non-traditional makeup necessarily shield them from real world liability?
  • Does a DAO’s structure render its activities “enforcement proof” or, at the very least, difficult to effect traditional service of process upon?
  • Can a DAO be an “unincorporated association” under federal or state law?
  • Who should be liable for the decisions made by a DAO?
  • Because token holders participate in the DAO’s governance, can they be deemed personally liable for its actions (akin to the general partners in a general partnership), even if each governance token holder is essentially unknown to the other DAO members, who likely reside in multiple jurisdictions?

In a post-FTX environment, several financial regulators are taking action to emphasize a policy of sound custody and disclosure practices and to better understand certain risks to protect customers in the event of an insolvency or similar proceeding. For example, back in January 2023, the New York Department of Financial Services announced that it had issued certain Guidance on Custodial Structures for Customer Protection in the Event of Insolvency in which it highlighted the significance of consumer protection upon insolvency or similar proceeding. And in February 2023, the Securities and Exchange Commission (“SEC”) proposed amendments to the Custody Rule under the Investment Advisers Act of 1940, which, among other changes, clarified aspects of the existing rule and expanded its application to a broader array of client assets managed by registered investment advisers.

This past month, the Commodity Futures Trading Commission (“CFTC”) acted to ensure proper risk management within the derivatives markets in relation to, among other things, digital assets, by issuing two separate releases: (1) a proposed rulemaking on potential amendments to certain Risk Management Program (“RMP”) requirements applicable to swap dealers (“SDs”), major swap participants (“MSPs”), and futures commission merchants (“FCMs”); and (2) an advisory letter reminding derivatives clearing organization (“DCO”) registrants and DCO applicants about compliance obligations when expanding the types of products cleared and services offered by DCOs, including those related to digital assets.  The CFTC stated that re-evaluating its risk management rules is necessary to keep pace with evolving markets that can give rise to new risks from emerging technologies such as digital assets and artificial intelligence.

In what appears to be an issue of first impression, a California district court ruled that various defendants allegedly holding governance tokens to the bZx DAO (or “Decentralized Autonomous Organization”), a protocol for tokenized margin trading and lending, could be deemed to be members of a “general partnership” under California law under the facts outlined in Plaintiffs’ complaint, and thus potentially joint and severally liable for negligence related to a phishing attack that resulted in the loss of users’ cryptocurrency. (Sarcuni v. bZx DAO, No. 22-618 (S.D. Cal. Mar. 27, 2023)). The ruling is significant given that this is purportedly the first court to substantively consider the legal status of a DAO under state law (albeit in a ruling on a motion to dismiss); interestingly, in a prior settlement the defendant bZeroX, LLC and its founders reached with the Commodity Futures Trading Commission (CFTC) in 2022 over claims that bZeroX and its founders unlawfully offered leveraged and margined retail commodity transactions in digital assets, the order expressly considered the bZx DAO (and its successor Ooki DAO, which is co-defendant in the instant action) as an “unincorporated association” under federal law. (In re bZeroX, LLC, CFTC No. 22-31 (Sept. 22, 2022)).

A DAO is a decentralized autonomous organization where token holders can vote on governance decisions of the DAO. DAOs don’t typically operate within a formal corporate structure, opting instead to distribute governance rights among persons who hold a specific governance token. The entire raison d’être of a DAO is to take advantage of web3 technologies and operate without a traditional corporate formation to make decisions without a central authority or usual top-down management structure. While DAOs are emerging as a viable structure in DeFi space, this ruling shows that their non-traditional makeup may not necessarily be a shield from real world liability.  Plaintiffs’ theory that the DAO members are part of a general partnership means that anyone holding governance tokens at the relevant time would be jointly and severally liable for the torts of the DAO.  To be sure, even though existing structures do not fit the novel web3 organizational primitive that is a DAO, nothing prevented the bZx DAO (or its successor Ooki DAO), from creating a so-called “legal wrapper” or real-world corporate entity to shield individual members from liability and limit potential creditors to monetary recovery from the DAO’s treasury only.

Binance is the latest major crypto industry player to be sued by a U.S. regulator.  On March 27, 2023, the CFTC announced that it had filed a civil enforcement action against Binance Holdings Limited (and related legal entities) (collectively, “Binance”), its CEO, Changpeng Zhao (“Zhao”), and its former chief compliance officer, Samuel Lim (“Lim”), for violating the Commodity Exchange Act and CFTC regulations. (CFTC v. Zhao, No. 23-01887 (N.D. Ill. Filed Mar. 27, 2023)).  The CFTC, among other things, alleges that Binance allowed U.S. customers to make use of their centralized digital asset trading platform without Binance first properly registering with the CFTC and also allegedly failed to implement an effective anti-money laundering (“AML”) program as required under applicable law. The complaint states that Binance has “never been registered with the CFTC in any capacity.” The CFTC is seeking disgorgement, civil monetary penalties, permanent trading and registration bans, and a permanent injunction against further violations of the Commodity Exchange Act and CFTC regulations.

On September 22, 2022, the CFTC announced an order simultaneously filing and settling charges against bZeroX, LLC (“bZeroX”) and its creators for illegally offering leveraged and margined retail commodity transactions in digital assets, operating as an unregistered futures commission merchant and failing to conduct KYC on its customers. According to the CFTC, a month prior to this settlement announcement, bZeroX transferred control of the bZx Protocol to the bZx DAO, a decentralized autonomous organization (“DAO”), which later renamed itself as the Ooki DAO.  On the same day as the bZeroX settlement was announced, the CFTC filed an enforcement action against the Ooki DAO (successor to bZeroX) for violating those same regulations.  The CFTC stated that bZeroX and its creators engaged in this unlawful activity in connection with their decentralized blockchain-based software protocol that functioned in a manner similar to a trading platform.  The transactions executed on bZeroX, and subsequently on the Ooki DAO, were required to take place on a registered designated contract market.  Additionally, the complaint asserted that bZeroX and Ooki DAO were operating as unregistered futures commission merchants by soliciting and accepting orders from customers, accepting money or property as margin and extending credit.

The structure of Ooki DAO, and the CFTC’s enforcement action against the DAO itself, has garnered a lot of media attention (and industry reaction) and raised novel legal issues.

Both the head of the Commodity Futures Trading Commission (CFTC) and leader of the SEC agree that the crypto markets need regulating, and specific rules may help clarify which agency has authority to regulate various cryptocurrency activities. The client alert below discusses both CFTC Chairman Rostin Behnam’s comments and SEC