Blockchain and the Law

Cryptoasset Exchanges Respond to New York Attorney General’s Virtual Markets Integrity Initiative

On April 17, 2018, the New York Attorney General’s Office (“OAG”) launched a Virtual Markets Integrity Initiative and sent letters to thirteen cryptoasset trading platforms requesting, through a questionnaire, disclosures on their operations, internal controls, and safeguards to protect customer assets.  The questionnaire focused on six major topic areas, including: 1) Ownership and Control, 2) Basic Operation and Fees, 3) Trading Policies and Procedures, 4) Outages and Other Suspensions of Trading, 5) Internal Controls, and 6) Privacy and Money Laundering.  The OAG characterized the initiative as a mechanism to “increase transparency and accountability” on “platforms used by consumers to trade virtual or ‘crypto’ currencies like bitcoin and ether.”  Notably, the thirteen trading platforms were only given two weeks to respond to the questionnaire.

While cryptoasset exchanges already face regulatory scrutiny from the SEC, the CFTC, and certain state regulators (including other agencies within New York), among others, the OAG determined  that their mandate to protect customers/ investors and ensure the fairness of New York’s financial markets necessitated further action.  Two of the targeted trading platforms –  Coinbase and Kraken – publicized markedly different responses to the OAG’s inquiries, the content of which sheds light on how some of the industry’s key players are approaching regulation; and perhaps, how regulators should be approaching some of the industry’s key players. Continue Reading

Regulatory Scrutiny of the ICO Market – What Fund Managers Should Know

Last week, former CFTC Chairman Gary Gensler explained in remarks at M.I.T. that he believes the second and third most widely used virtual currencies—Ether and Ripple—may have been issued and traded in violation of securities regulations.  This comes on the heels of a crackdown on cryptocurrency-related securities by the SEC, which is particularly focused on initial coin offerings (ICOs).  For fund managers, we believe the increased regulatory pressure will be felt in some expected, and some not-so-expected, ways.

ICO enforcement is trending: The SEC’s Cyber Unit has ramped up enforcement pressure, issuing dozens of subpoenas and information requests to technology companies and advisers involved in the ICO market.  The requests have sought information about the structure for sales and pre-sales of ICOs.  This uptick in enforcement pressure isn’t surprising, especially given Chairman Clayton’s repeated warnings that participants in the ICO space are not complying with the required securities laws (for example, notably stating that he has yet to see an ICO that “doesn’t have a sufficient number of hallmarks of a security.”)  There are no signs the SEC will slow down its scrutiny of crypto-related assets.  The SEC has already indicated that it will devote significant resources to policing the ICO market.  Continue Reading

Smart Contract Bug Leads Exchanges to Halt ERC-20 Token Trading

When a smart contract coding vulnerability resulted in the Parity wallet “freeze” that compromised over $150 million worth of user funds, we discussed the pitfalls of unsecure code in the context of cryptoassets and the extent to which software developers might be held liable to their users for losses arising from mistakes in, or the exploitation of, the open source software they release into the world.

On Thursday, yet another possible coding vulnerability emerged – this time with the protocol underlying certain tokens themselves – as various exchanges suspended trading in ERC-20 tokens due to a discovery by security researchers of a smart contract bug known as batchOverflow.

According to researchers, attackers taking advantage of batchOverflow could generate a large amount of tokens from a vulnerable ERC-20 contract, then seek to deposit those tokens into a normal Ethereum address.

Such an attack raises issues of potential theft, unjust enrichment, fraud and market manipulation for the attackers. Furthermore, there is the question of whether liability could attach to developers who overlooked the batchOverflow bug in the first place (notably, the vulnerable function is not part of the official ERC-20 standard and was only implemented for a limited number of tokens).

As affected cryptoasset organizations, customers and exchanges continue to investigate, it remains to be seen whether and how any unauthorized transactions will be remedied. The questions abound:

Will victims and community members advocate for a remedial fork? (Parity, for their part, has recently pronounced that they have no intention to utilize a fork to rescue their wallets’ frozen funds.)

How will industry standards in the U.S. and other jurisdictions evolve to reflect the role of secure software in the “Internet of Value”?

Finally, will legal institutions be mobilized?

FTC Freezes Assets and Operations of Four Promoters of Cryptocurrency Investment Schemes

The Federal Trade Commission (FTC) recently sought and received a temporary restraining order (TRO) against four promoters of alleged pyramid schemes involving cryptocurrencies. The promoters were charged with violating the FTC Act’s prohibition on unfair or deceptive acts or practices in or affecting commerce.

The FTC’s complaint (filed under seal in the U.S. District Court for the Southern District of Florida on February 20, and released on March 16) targets the promoters of three cryptocurrency-related referral programs  – My7Network, Bitcoin Funding Team and Jetcoin  – that used online videos, social media, and robocalls to promise potential participants outsized returns on small initial investments of  Bitcoin and Litecoin. According to the FTC, the promoters cited complicated financial models and used flowery language to explain the source of these returns, while in actuality the funds came from enrollment and other payments made by subsequent investors.


The TRO imposes a freeze on all assets (including cryptocurrencies) of the named defendants and bars them from continuing to promote any of their businesses. Quite notably, in making the determination that the issuance of a TRO was suitable to the case, the court focused heavily on the particular characteristics of cryptocurrencies. Specifically, the court stated that:

  • “The use of cryptocurrency in the programs promoted by Defendants poses a heightened risk of asset dissipation. Bitcoin and other cryptocurrencies are circulated through a decentralized computer network, without relying on traditional banking institutions or other clearinghouses. This independence from traditional custodians makes it difficult for law enforcement to trace or freeze cryptocurrencies in the event of fraud or theft;” and
  • “Defendants claim that the schemes they have promoted have expanded into dozens of countries. If Defendants were provided notice of this action, it would be a simple matter for them to transfer their bitcoin or other cryptocurrency to unidentified recipients outside the traditional banking system, including contacts in foreign countries, and effectively put it beyond the reach of this Court.”

Looking ahead, such considerations may raise critical questions – both practical and legal – as to the appropriateness of certain forms of remedial relief across a wide swath of cryptocurrency-related cases. In particular it remains to be seen what limitations, if any, can constrain a court’s ability to issue injunctions and compel specific performance in the cryptocurrency context.

FTC joins the fray

While the present case is one of the first times the FTC has waded into the regulation of cryptocurrencies, it is unlikely to be the last we hear from the United States’ primary federal general consumer protection agency. To that effect, also on March 16, the FTC announced it has created a Blockchain Working Group to investigate cryptocurrency and Blockchain-related activities.

Blockchain, Personal Data and the GDPR Right to be Forgotten

The effective date of the EU’s General Data Protection Regulation (GDPR) is fast approaching (May 25, 2018), and its impacts are already being felt across various industries. Specifically, the conflicts between the GDPR and the technical realities of blockchains raise important legal considerations for companies seeking to implement blockchain solutions that involve the personal data of EU data subjects.

One of the key features of blockchain technology is the general immutability of its data, and many applications of the technology thus far are built on publicly available data trails. Among other data, a blockchain can house the information of those who have engaged in transactions along the life of the blockchain, whether it is their name or social security number or, more often, simply a code which could make an individual identifiable. Personal data in an immutable data trail is problematic when considered against the new requirements of the GDPR.

One issue that will have to be considered is the GDPR’s “erasure” right.  Article 17 of the GDPR demands that companies erase the personal data of individuals when they request to be “forgotten”. The GDPR does not define what “erasure of data” means, which suggests that, to comply with this requirement, actual physical and logical deletion (a literal reading of the word “erase”) is required. As simply conducting a blockchain transaction to make personal information inaccessible does not erase any data, it is not clear whether and how one can store personal data on a blockchain and comply with a literal reading of this GDPR obligation. Further complicating the matter is the fact that Article 4 of the GDPR defines “personal data” very broadly as any information relating to an identified or identifiable natural person, with “identifiable natural person” being defined to mean an individual who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, identification number, location number, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person. Some practitioners and scholars believe that even an individual’s publicly available cryptocurrency wallet address would be considered personal data under the GDPR.

One potential solution to this conundrum might be to store all personal data off of the blockchain in separate “off-chain” databases, but to do so would sacrifice many of the benefits of using a blockchain in the first place.

Until we have some clarification on the interpretation of the obligation to “erase” data, or until the GDPR is amended to account for the unique technical structure of blockchains, companies should be aware of the risk in developing blockchains that will include personal data of EU based individuals. While clearly an issue, as with much of the GDPR, a practical approach to compliance is recommended, and this is not likely to be the issue that is immediately put into play by complainants under the GDPR.

For general insights on the GDPR’s various privacy and data security implications, please visit our Privacy Law Blog.

A Proposed Statutory Framework for State Regulation of Virtual Currency Businesses: The Uniform Law Commission’s “Uniform Regulation of Virtual-Currency Businesses Act”

Last July, the Uniform Law Commission completed a uniform model state law, known as the Uniform Regulation of Virtual-Currency Businesses Act (“URVCBA” or the “Act”) (Steve Weise participated in the preparation of the Act).  Currently, state regulation in the virtual currency space is carried out under a patchwork of laws that typically do not directly contemplate virtual currency and blockchain technology. Attempting to bring clarity as to which types of entities require state licensure and also to encourage responsible innovation in this emerging area, the URVCBA provides a statutory framework for the regulation of companies engaging in “virtual-currency business activity.”  After carefully defining which activities fall under the Act’s purview, the uniform law requires covered entities to make the typical financial and business disclosures in its application, and also contains numerous user and consumer protections, including certain enforcement powers by the relevant state authority.

The mission of the Uniform Law Commission is to draft state laws on topics where standardized regulation across state lines is practical (e.g., the Uniform Commercial Code (the “UCC”)). Gaining final approval in 2017, the Act has so far been introduced in Connecticut, Hawaii, and NebraskaContinue Reading

When Filing Taxes, Don’t Forget Virtual Currency Income

In a March 23 news release, the IRS reminded taxpayers that income from virtual currency transactions must be reported on income tax returns, and that certain virtual currency transactions are taxable like any other property transactions. Taxpayers should note that despite the pseudo-anonymity of virtual currencies, the IRS has been able to successfully subpoena a major exchange for the accounts and information of thousands of holders.

As the IRS news release highlighted, the consequences for non-compliance are significant. Taxpayers who do not report income from virtual currency transactions can be audited for those transactions and potentially liable for penalties and interest. More egregious violations could subject taxpayers to criminal prosecution for charges including tax evasion and filing a false tax return. Convictions for tax evasion and filing a false tax return could lead to a prison term of up to three to five years, respectively, and monetary fines of up to $250,000.

The release also directed taxpayers to IRS Notice 2014-21 (which provides guidance on how existing general tax principles apply to certain virtual currency transactions) and noted that, among other things:

  • payments made using virtual currency are subject to information reporting to the same extent as any other payment made in property;
  • virtual currency payments to independent contractors and other service providers are taxable, and normally the payer must issue Form 1099-MISC;
  • wages paid to employees using virtual currency are taxable to the employee and must be reported on a Form W-2 by the employer;
  • certain third parties who settled virtual currency payments on behalf of merchants that accept virtual currency from customers must report payments to those merchants on Form 1099-K, Payment Card and Third Party Network Transactions; and
  • the character of gain or loss from the sale or exchange of virtual currency depends on whether the virtual currency is a capital asset in the hands of the taxpayer.

The release makes it clear that income from virtual currency transactions must be reported on income tax returns. However, the guidance in the March 23 release and IRS Notice 2014-21 does not apply to all virtual currencies and it is unclear how income from virtual currency transactions not covered by this guidance should be treated and reported for tax purposes. Furthermore, the application of this guidance to any specific taxpayer depends on the taxpayer’s particular situation. Taxation of virtual currencies is complex and there remains a great deal of uncertainty regarding the application of the tax law and a taxpayer’s compliance obligations. We will continue to follow developments in this area.