So far 2022 has been one of the busiest regulatory years we have seen!
Here we leave you with three takeaways for traditional finance and blockchain compliance programs:
Follow Gensler & other top regulators on Twitter
Basics are important. Have an independent review of your program
Understand operational risks & build resiliency. Use technology for duty of loyalty (conflicts), transparency (performance & costs/expenses), and care (conduct standards, ESG)
Blockchain Highlights
A must-see is the debate on blockchain and DeFi regulatory approach. Click hereto watch it!
The FTX Breach article is an important reminder about the duty to users/customers
2022 SEC Wrap Up
Here is an inventory to help you recap SEC priorities for the testing of your compliance program.
Building the governance, risk, and compliance bridge between finance and blockchain
Guidance and developments overweigh enforcement this month. Please reach out with questions: understanding evolving standards is increasingly needed to navigate risks.
The Enforcement Environment
Token Promotion
The promotion of tokens/shilling increases securities law risks. In both SEC vs. Balina and SEC vs. Kardashian, the promoters failed to disclose they received compensation for promoting the tokens.
Requirements:In 2019, the FTC, which makes rules around truth and transparency in advertising, published simple guidance for social media influencers & required disclosure of payments. Though the SEC has its own rules for this issue, they largely parallel the FTC’s. SEC Chair Gary Gensler posted a videoto highlight its position.
Reminder: Many regulatory cases are paired with class action lawsuits. The Kardashian settlement may impact the pending class action suit too.
Are you Decentralized Enough?
The CFTC settled with bZeroX, LLC and its founders for allegedly acting as an unregistered futures commission merchant (FCM) and failing to adopt a customer identification program as part of a BSA compliance program required of FCMs. Simultaneously, the CFTC charges the successor entity to bZeroX, Ooki DAO, for violating the same laws.
The CFTC found:
Registration –Defendants failed to register as an FCM
Commodities – “Virtual currencies such as ETH, DAI, and others traded on the Ooki Protocol are ‘commodities’ under the Act.”
DAO was not decentralized –“The acts, omissions, and failures of the members of the Ooki DAO unincorporated association (i.e., the Ooki Token holders who voted their Ooki Tokens to govern the Ooki DAO by, for example, directing the operation of the Ooki Protocol), as well as of those authorized to work on behalf of the Ooki DAO, were done within the scope of their office, employment, or agency with the Ooki DAO.”
“While I do not condone individuals or entities blatantly violating the CEA or our rules, we cannot arbitrarily decide who is accountable for those violations based on an unsupported legal theory amounting to regulation by enforcement while federal and state policy is developing”.
The House Committee on Oversight and Reform has requested info from 4 Federal agencies and 5 crypto exchanges on their actions and mechanisms to combat fraud.
New EU Directive – The European Union has formally approved the Markets in Crypto-assets (MiCA) directive. (Europe.eu) The European Union released its 8th package of sanctions against Russia, which include a ban on “all crypto-asset wallets, accounts, and custody services, irrespective of the amount of the wallet.” (Europa.eu)
Date Security
Binance, the world’s largest cryptocurrency exchange, washacked. Binance reports mitigated losses of under $100M.
Global Coordination
International Securities law watchdog ISOCO (International Organization of Security Commissions) is working to create ‘common standards’ for crypto.
As the Ethereum network transitions its system through a new upgrade calledthe Merge, many are wondering which startups within its ecosystem will be best positioned to thrive in a post-Merge world.
Overall, it seems like the post-Merge startups that will succeed are ones that provide accessibility to both Web 2.0 and web3 users, whether it be something like a financial product or infrastructure that could try to ease the onboarding to Ethereum. Most notably, many think liquid staking pool providers will take the reins. Given the Merge’s switch to proof-of-stake, this could make sense.
The efforts to lower the network’s carbon footprint by about 99% are also at the forefront of many market players’ minds as it moves away from mining, which would make mining pool-focused startups a thing of the past. Startups that align with ESG objectives will definitely take a big step forward as sustainability efforts continue to grow.
It’ll be interesting to see how this all plays out over the next couple of months (to years) as the Merge is built upon and other upgrades are implemented into the network.
To further our understanding, we asked a range of crypto market players — including the co-founders of layer-2 blockchains Polygon and StarkWare, partners at VC firms, developers, and researchers — their thoughts on the Merge and which Ethereum-based startups may hit the ground running. (Some responses have been edited for clarity and length.)
One big misconception about the Merge is that it’s going to lower gas fees on Ethereum. This isn’t the case — it will lower the network’s carbon footprint by nearly 100% but won’t get rid of the high gas fees that have been a big issue for the ecosystem.
With that, we’re continuing to bet on projects that will make web3 more accessible to everyday users. The Ethereum network’s high gas fees and slow network speeds will continue to create high barriers to entry. At Symbolic, we’re looking for projects that will help onboard the next 1 billion users into web3. These are projects that everyday people accustomed to the frictionless experience of Web 2.0 will be able to easily pick up and engage with. We’re betting on dApps and infrastructure projects that will make web3 more accessible.
Mihailo Bjelic, co-founder of Polygon
To be frank, adoption of web3 startups will mainly be driven and determined by the same factors as in the Web 2.0 world — product-market fit and commitment of the founders. That being said, with the Merge and introduction of fast and efficient development platforms built on top of Ethereum, web3 infrastructure is pretty much ready for mass adoption and will additionally boost the adoption for web3 startups in general.
First and foremost, it will be about embracing the new technologies (e.g., Polygon) that build on top of Ethereum and provide all the features required for mass adoption like fast transactions, low fees, and a great user experience. Then, it will be about educating their users about the actual benefits of web3: transparency, ownership, borderless economy, and communities. I am personally confident that these two things will usher in the new chapter of adoption.
Eli Ben-Sasson, StarkWare co-founder and president
The Merge makes me think of the moment the first solar fields went live. We saw it’s possible to reduce the environmental impact of producing electricity. People didn’t say, “That’s great, problem solved.” They said if we’re generating electricity with less pollution, it’s time to double down on efforts to use the power more sparingly. There was a boom in power-conserving devices.
The same goes for the Merge. The computing power of Ethereum will involve a far smaller carbon footprint. But it will remain a scarce resource. Innovations aimed at using this resource more efficiently will now thrive. That is exactly why [Ethereum co-founder] Vitalik Buterin talks about layer-2 scaling solutions and the Merge almost in the same breath — because they are complementary.
All sorts of companies building on layer-2, whether ours or others, are going to thrive. I’m bullish on projects that bring crypto into daily usage for simple things like buying coffee and important things like owning and controlling our own data. The Merge, and successive changes on Ethereum, will also change the face of gaming, and companies that enable people to play games peer-to-peer and reduce reliance on big servers are likely to enjoy success.
Lauren Stephanian, partner at Pantera Capital
The Merge creates an environment where infrastructure for both staking and accounting is more essential than ever. Businesses like Staked, Blockdaemon and Figment abstract away the complexity of staking by enabling users to delegate their ETH and other proof-of-stake (PoS) tokens to [help] them to stake. Staking is also considered income, which creates a need for software that can help investors track and report rewards over time.
Beth Haddock, adviser to automated market maker DeFi protocol Balancer
A reduction of energy consumption by 99% will arguably align with sustainable development goals (SDG) and ESG investment objectives. With the Merge, projects can combat the critics of crypto’s so-called dirty secret.
Startups that are purpose-driven, either by community interests or commitment to SDGs, have a tremendous opportunity to tell a compelling story and gain more momentum. This is an opportunity to promote that alignment and attract more capital from those looking to support ESG-focused efforts and avoid greenwashing.
Vance Spencer, co-founder of Framework Ventures
I think the most direct beneficiaries of Ethereum’s Merge will be at the application layer. Once ETH becomes a yield-bearing asset, it’s entirely possible that it supercharges the DeFi platforms in which it is deposited. Additionally, I think several of the decentralized staking platforms, which provide users with liquidity after they lock up their assets, could see increased attention and usage after it becomes more clear that the Merge has gone through without any significant hiccups.
Jagdeep Sidhu, president and lead developer of Syscoin
There are a bunch of opportunities in the modular blockchain tech stack in the post-Merge world. For example, anything that helps rollups, anything related to zero-knowledge proofs, or anything that helps the infrastructure related to data availability. Very soon, Ethereum will integrateproto-danksharding (EIP-4844) along with danksharding subsequently. This will transition the Ethereum blockchain to be a unified data availability layer (for censorship resistance) in a rollup-focused road map.
With that in mind, there is a pressing need for services to index both optimistic and zero-knowledge rollup-based data availability for users to be able to have censorship resistance mechanisms to exit back to the main chain, assuming sequencers of the rollups fail to sequence or update with the user’s exit request. I haven’t seen anyone take that one on and it can be a service that can take tokens for payments for each request.
There also needs to be a unification of experiences related to having multiple rollups and segregated financial systems running on the differing rollups. Think of a rollup as a separate chain; we need better views on liquidity and state across these systems. Perhaps some astute developers can create liquidity sharing across rollups in secure ways, have ways to move across these rollups quickly or just have wallet experiences that can show what rollups you are involved in to let you switch easily.
Finally, as we scale the blockchain industry up through modular design, we will open up tons of untapped opportunities that we never would have thought possible (NFT, DeFi, and metaverse are examples of such market segments). We need better wallet experiences that allow users to differentiate their experiences compared to how they will be interacting with dApps.
Jupiter Zheng, head of research at HashKey Capital
A few sectors may benefit immediately after the Merge, namely scalability solutions and liquidity staking services. In regard to liquidity staking, we predict that staking yield will rise (meaning validators will see increased transaction fees and maximal extractable value). This in turn may increase user participation and broaden the market potential for liquid staking services.
Scalability solutions may also go through an upheaval. Companies and startups building with the data availability layer in mind may perform better and essentially enjoy the next layer-2-like opportunities. These early adopters may attract plenty of capital and projects to build around it.
Baek Kim, partner at Hashed
Ethereum’s move to a PoS mechanism fundamentally changes the power dynamics in the crypto industry. Liquid staking pool providers will play bigger roles and on-chain governance will become the most intense category to see new experiments to carry on the innovation.
Feras Al Sadek, managing partner at Ghaf Capital Partners
A post-Merge world will better equip mass adoption to take place for the back-end developers and the front-end users of the Ethereum ecosystem. With the Merge provoking enhancement in security, scalability, and overall functionality, all segments of this industry shall be given a platform to reinvent themselves.
Not to mention the reduction in energy consumption that a PoS model will bring by slashing down Ethererum’s electricity usage by 99%, allowing crypto to finally be in alignment with a greener future that the world is trying to build.
However, blockchain gaming and infrastructure services shall be at the start of the line claiming their spot as the initial benefactors of this massive upgrade.
Alex Ye, head of research and economics at Republic Crypto
One non-trivial consideration for the post-Merge era is how long it will actually take to sort and settle the existing developers and users to the new chain. Once that eventually subsides, I’m confident we’ll see roll-up projects, particularly in the zero-knowledge category, compete at a breakneck pace, where we’ll be keen to track and back the best teams. This will be the Ethereum ecosystem’s opportunity to answer the app-chain craze as applications evaluate running their own chains via subnets, Cosmos, supernets, etc.
That said, we have to remember that the Merge is just the beginning of potentially much more to come, with the Surge, Verge, etc., though we should certainly keep our expectations tamed given the amount of delay we’ve seen leading up to the Merge.
James Key, CEO, and founder of Autonomy Network
Most people don’t realize that the Merge won’t actually increase the scalability (cheaper transaction fees) of Ethereum immediately — this is the first stage of many and the scalability will come in later upgrades.
One thing that will actually change with the Merge and its switch to PoS is ESG. Since PoS no longer uses massive amounts of electricity, and therefore carbon emissions, like proof-of-work (PoW) mining, Ethereum now becomes an ESG-friendly platform and asset. The dApps building on Ethereum will now also be ESG-friendly; therefore, ESG-focused startups will be the largest benefactors from the Merge.
Building the governance, risk, and compliance bridge between finance and blockchain
This month we share a few articles about risk management and why it is important to consider emergent as well as current risks. We hope these thought pieces help you prepare for a busy fall and year-end.
The Environment
Tornado Cash Matter:Sanction Tornado and the development of smart risk-based controls in a Defi environment.
Blockchain Compliance & Risk Practice Tips:We need more FOMO for risk- Check on your legal and risk framework.
DAO Risk Framework Announced: A White Hat approach to Management of DAO Risks.
The California state legislature passed the Digital Financial Assets Law, a bill requiring crypto businesses to be licensed. If signed by the governor, it will be a big change for many companies.
UAE Regulatory Authority announces new guidelines requiring factual accuracy in marketing virtual assets. Review your marketing against these standards.
FINRA sanctioned National Securities Corp. for failing to disclose material information and attempting to artificially influence the market by attempting to induce purchases in the aftermarket of offering.
Your Compliance & Risk Program
Code of Ethics are an important training topic: Review your training against the latest SEC Risk Alert Investment Adviser MNPI Compliance Issues.
What is certain? Death, taxes… and, IMO, regulatory efforts against crypto projects will not slow down. Although there is more uncertainty than certainty when it comes to what it means for DeFi and other crypto projects to show good faith adherence to applicable laws, two facts certain to me are 1) taxes and anti-fraud are important bellwether issues and 2) we are moving towards global alignmentof expectations and enforcement.
If a project can develop and commit to a strategy that focuses on the knowns instead of the unknowns, they can avoid predictable surprises and mitigate risk and disruption.
What is known? If a project is fully and legally decentralized, they are operating with less regulatory risk. On the other hand, if a project aspires to become decentralized, they are in a risky posture. What I believe is also known, or certain, is that regulators will achieve their stated objectives indirectly if direct actions are not available or practical. For example, if regulators cannot rely on clear authority through laws, rules and regulations, as they have done in traditional finance, they will advocate standards through enforcement cases and informal guidance. This may be an unfair approach; however, there is precedent for this signaling strategy and it is not wholly unexpected after recent indications through speeches, proposed rules, investigations, and enforcement cases, particularly after Celsius and recent hacks that have been designated as nationalsecurity and economic resiliency risks.
Rather than only lament about the need for a change or wait for regulatory authority to be certain, projects should also adopt smart risk-based controls to meet current expectations. Now is the time to consider which vendors can help you and how a project can collaborate and build its own risk program, so it can limit reliance on vendors and sharing information. It is important to call attention to overreaching and inappropriate regulation by enforcement, but it is also important to plan for the new normal until there is formal legal certainty.
So what does this specifically mean for projects trying to manage risks?
In addition to inventorying the knowns that are relevant for your project, I’d offer that you need:
To be agile, expect developments will continue.
To expect the pressure will increase, not go away.
Educate yourself and secure advisers that can help you build your own risk-based controls, like sanctions screening, that you’re comfortable with.
The Tornado Cash matter is not a total surprise for a number of reasons. In addition to regulation by enforcement, regulators target pressure points, such as mixers, in order to be efficient. Regardless of fairness or authority, in this case, they are sending a clear message that any entity that is facilitating fraud is fair game.
“While most virtual currency activity is licit, it can be used for illicit activity…”
They do not consider this action as simply banning and sanctioning open source code on the internet.
“Despite public assurances otherwise, Tornado Cash has repeatedly failed to impose effective controls designed to stop it from laundering funds for malicious cyber actors on a regular basis and without basic measures to address its risks” — OFACNotorious press release
Industry pushback on scope, approach and authority should not be the only focus. Projects should also focus on fixing any unintended consequences of the recent addition to the sanctions list. Use of sanctions vendors should be audited, adjusted to adhere to requirements and eliminate false red flags such as blocking a wallet that was victim to dusting.
How can projects adjust?
Consider these 4 takeaways:
Vendor help is only step 1: A vendor only provides info. Projects make the decisions about use of the tool. Projects should review and check vendor rules. Vendors make mistakes or use standards that don’t fit every project. Users should manage the vendors.
Investigate, instead of block, where possible: Projects can drift from blocking all wallets to investigating hits and only block wallets if it is blocked activity.
Calibrate the approach. Be risk-based:Projects can use de minimus thresholds, when appropriate, before blocking and plan to calibrate the tools.
Create an escalation and appeal process that quickly addresses false positives:When there is a new addition to a list or a new requirement, there will be implementation issues. If a beta or pilot isn’t possible – be prepared to address feedback.
To recap – the topic is complicated and elicits strong opinions and discourse. IMO projects should prioritize three next steps:
Decentralize further
Implement — Implement a governance, risk and compliance (GRC) program. Don’t wait for more certainty about explicit laws.
Commit to ‘Need to Know’— Protect privacy of users, but don’t fight the current expectations to address sanctions and anti-fraud. There is a big gap between web2 data collection with use of data to grow a business and DeFi data collection of only data that is needed to reasonably protect contributors and follow applicable sanction laws. Limited collection and use still protects users’ privacy. We will need to smartly tackle how to address the practical implications of the conflict between protection of privacy and protection from fraud.
At the heart of most web3 projects is the assumption users will be better off with decentralization than with centralized control. But what if in an effort to innovate and disperse control, projects are putting users in a more vulnerable position?
Vulnerability can grow when risks are underestimated or ignored. We are seeing some of that pressure with Celsius, Three Arrows Capital, and most recently with the SEC action against Forsage. Risk management is more important than ever, yet many DeFi and web3 projects spend time and money creating a legal framework without carefully considering operational risks. A stress test of a project’s legal structure can help assess its resilience and indicate whether it is well-positioned to handle predictable surprises such as governance, compliance, and risk (GRC) events. In a time of growing concerns about the financial stability of crypto-assets, and a call for more regulation, this assessment exercise is needed to deftly adjust to the changing tides. FSB July Statement
“DAOs — decentralized autonomous organizations — are an essential tool in achieving the self-empowering benefits of web3, including more equitable ownership among stakeholders, reduced censorship and greater diversity” Jennings & Kerr framework
DAOs are a crucial counterbalance to centralized technology innovators, but to make open and decentralized alternatives sustainable, risk management needs to be prioritized. If it isn’t, users are exposed to unnecessary risk of loss of their data, investments, and other contributions.
In a previous post, I introduced a new GRC framework that can be used to score how well a project manages risk.
To start the assessment, consider two pivotal questions:
Are you positioned to engage with the community and get ahead of developing risks?
Are you agile enough to address inevitable GRC risks or does your legal structure increase operational friction and inefficiency?
How do you measure up?
Use the GRC Comparison Chart below as a check on your legal and risk framework. As you consider these questions, test your assumptions against 5 different priorities. These will inform your conclusion about whether you are positioned to handle GRC.
GRC Comparison Chart: Observations about whether and how each organizational structure can help manage specific GRC risks within GRC Principles & Pillars.
Incentives
Alignment
Sustainability
Personal Liability
Crisis Management
Managing GRC is more than just working on your initial legal structure. Reach out if you are interested in learning more about how to protect your project and users with GRC risk management. team@warburtonadvisers.com
Beth Haddock is an advisor to stablecoins, Defi platforms, and fintech projects including the Balancer ecosystem and GYEN.
A bear market can be a clear test of resiliency. We are seeing some blockchain projects struggling to pass that stress test. Celsius halts withdrawals;Rari goodbye & nod to predatory tactics; Babel suspends redemptions & withdrawalsBut we also see successful white hat hacks that raise the potential for more holistic resilience across web3 projects. DeFi Attack Averted Surprisingly, these ethical hacks resemble risk and compliance controls in heavily-regulated businesses, but they are more effective because of timing. Instead of a centralized gatekeeper trying to cajole a team’s commitment to risk mitigation, the power of wide engagement in DAOs allows behavioral incentives to be more intuitive and effective with less resistance.
For sustainable growth in web3, let’s adopt a behavioral incentive approach for all governance, risk and compliance (GRC) matters, not just cyber security. Incentivizing self-reporting by aligning everyone with the interests of the community (a “white hat approach”), at a minimum, will more clearly separate the bad actors and innovators. A framework for DAOs is crucial in order to align behavioral incentives, so web3 projects do not repeat the inherent dysfunction of traditional GRC programs. Action is needed now to ensure the framework fits the new ethos and can refute increasing claims by regulators and litigants that a layer of traditional controls should be mandated for web3 projects. One recent example is the debate about how to regulate Tether.Let’s use decentralized consensus and collaboration to incentivize better business conduct.
II. Perils of Traditional GRC and Wait and See Strategy
Once there is a decision about business priorities and the legal entities to support them, the next step is to decide if a project will build a GRC program. After funding is secured, regardless of the size of a project or its potential treatment as a financial product, it’s time to understand threats to the project’s viability. Viability threats can be vast, from operational risks that cause errors or difficulty recruiting and retaining talent, to regulatory and legal risks that impact whether the project could be halted or distracted with government inquiries. Yet, most projects do not proactively address regulatory and operational risks after establishing their legal and business framework. With a bear market and increasing concerns about protection of users, many regulators and legislators are considering how to regulate web3, particularly how to retrofit traditional GRC requirements. SEC Chair Gensler speech; Sec Yellen remarks;New EU-wide regulation; New crypto framework in Brazil; New Singapore crypto law
A Web3 project has at least two choices:
Wait and see whether government requirements apply and build a framework then, taking on all the material civil and criminal risks that comes along with a wait and see strategy, or
Build a tailored framework that uses the same ethos as ethical hackers and permits the ecosystem to choose its priorities.
If the majority of the web3 projects opt for the wait and see approach, web3 would arguably lose an opportunity to build a better GRC paradigm. Businesses would accept the heightened risk that they need to build a traditional GRC program into the DAO and/or that they are not prepared for inevitable changes to tax, legal and regulatory requirements.
The traditional GRC framework has a mixed record on effectiveness. The transparency international corruption perception index (CPI) indicates that despite all the money and effort to adhere to legal and regulatory requirements designed to fight fraud, traditional GRC programs are failing to eliminate fraud. With no meaningful improvement in the last decade and over 50% of countries receiving a failing CPI grade for fighting corruption and fraud, the centralized approach is not delivering a ROI. Transparency International CPIInstead, many compliance officers struggle to align incentives & gain collective ownership to report and solve governance gaps. We continue to see corrupt corporate behavior at some of the world’s most successful companies. FCPA Violation 120 mil in fines; Retirement Account Fraud;Fraudulent Bond Sale
The new GRC paradigm is poised to leverage the power of decentralization and incentives. For example, compare white hat (ethical) hackers protecting against cyber threats to whistleblowers allegedly fighting corruption and theft. Whistleblower reporting is required under several existing regulatory regimes to incentivize self-policing. EU Whistleblower Directive; SEC Whistleblower and Bounty Program; Anti-corruption Whistleblower Cases. However, whistleblower reporting within businesses is notoriously ineffective at preventing corruption before it occurs and instead is reserved for bringing the problem to the public after the fact. Facebook Whistleblower
There is a strong rationale for not waiting for new regulatory mandates and instead building a Web3 GRC framework that uses the same ethos as ethical hackers to proactively self-govern. This will allow the ecosystem to choose its own priorities and make its own decisions.
III. New GRC Framework
In order to maintain a sustainable peer-to-peer ecosystem, the members need to build trust and deliver on transparent governance. A sustainable GRC program will incentivize addressing conflicts and issues before they threaten the viability of the project. SushiSwap CTO Resigns;SushiSwap Feud
Guiding principles for sustainable governance are:
Agile & Iterative — Expect changes, build in flexibility and a modular approach that can be adjusted when new risks surface
Disclosures & Transparency — Assume conflicts and risks should be known, so users are informed
Anti-Fraud & Consumer Protection — Prioritize well-being of users and adopt a guardian lens
Caution & Escalate — Create the white hat approach, build in self-reporting incentives and avoid whistleblower pitfalls
A sustainable GRC program should adopt 5 pillars
Know the environment and prepare
As with pen testing or hackathons — expect inquiries from government authorities and litigants. Prepare with an advisory bench and narrative of the project. The narrative should include in and out of scope features to tell the project’s story before being asked to defend the story to the government or litigants. Hire a “white hat” advisor to audit your performance against these pillars and guiding principles.
2. Create and manage a road map
Create a practical risk inventory based on current developments and maintain it. Assess the relevance of the risks to the project and prioritize drafting a project list to address the top risks. Use the inventory as a confidential road map with use cases and examples to size risks.
3. Create escalate and questions forum
Create a GRC private Slack channel, Discord, Team meetings and Q/A. Make it easy to ask questions and escalate concerns. Consider building a path where reporting is anonymous to remove any hesitancy. Set a record retention policy to make sure you retain documents you need and create a rational destruction schedule to balance data sharing with security risks. For instance, corporate documents should be retained for the life of the organization, whereby Slack and text messages may contain personal information and should have a short retention period to prevent data breaches.
4. Have a public relations & communications strategy
Set standards for community, project and personal opinions. Set guidelines to avoid shilling and conflicts of interest and provide examples of balanced communications. Consider
creating an understandable risk mantra/disclosure on public communications such as “Be informed & accept the risks”, “Consider before you act”, “Read our forum and blogs for more info” and then create an FAQ,
the experience of the target audience as you write,
sourcing a third party, when making projections or promissory statements,
avoiding investment terms unless there’s an expectation of investment oversight from the government.
5. Develop protocols for managing GRC
Rather than creating protective traditional legal documents, create short, accessible standards for the team to follow. Be strategic about accepting certain risks, create a risk plan to address short, medium and longer-term issues.
Expect to change the GRC program and adopt 4 north star attributes
Support and Affirm Alignment: Draft a Code of Conduct, Terms of Use and UI Disclosures
Global Approach: Adopt a borderless strategy, but focus on the jurisdiction of a concentration of users, prevent criminal liability & rely on jurisdictions with guidance — DOJ Criminal Division — Evaluation of a Compliance Program
Tech Company Policies: Orient your GRC efforts for a technology company. Draft a Sanctions, Privacy and Cookies policy and procedures
Anti-Fraud Efforts: Include an anti-fraud mindset within product development perhaps as part of user experience efforts. Mitigate risks with a consistent focus on serving the interests of users, community and ecosystem. Draft listing standards, implement user protection with bad actor blocking, focus on cyber security, follow a marketing/business development review process before content is posted on public forums.
IV. Conclusion
Resilience of a web3 project will not just entail fighting TradeFi and the government’s perception of risks, it is also addressing concerns from within the community. “Most crypto projects are designed with extremely predatory tactics that hurt retail. Most crypto projects have 0 intention of doing anything besides dumping on retail.” Founder Rari Capital
Reach out if you are interested in a confidential GRC assessment. Warburton offers assessment services including advice on options and best practices and a set of template documents.
More developments in legislation to watch. Senators from leading states – NY and Wyoming – team up to propose allegedly reasonable new oversight over blockchain projects.
SEC settles the first enforcement action concerning ESG disclosures against a mutual fund adviser for alleged misstatements and omissions in its Fund disclosuresconcerning incorporation of ESG factors into the investment process.
A settlement was reached with NVIDIA Corporation, a public company, for alleged failure to disclose on its 10Q that crypto mining was a significant element of its revenue.
Smoothing Performance Numbers and Manual Spreadsheet leads to multi-billion securities fraud, manipulation and criminal liability. SEC Charges Allianz Global Investorsthe firm agreed to pay more than $1 billion to the SEC and over $5 billion to victims as restitution.
Sanctions liability is criminal liability. See this important case for blockchain projects. In Re: Criminal Complaint[Underseal]involves the use of a payment platforms allegedly designed and advertised to evade U.S. sanctions, through ostensibly untraceable virtual currency transactions.
YOUR COMPLIANCE & RISK PROGRAM
A good reminder – it’s not what happens, but how a team reacts. The South Korea regulators appear to be taking a common approach – broad investigation – focusing on intent of those who knew about problems…Terra Investigation
“Compliance and cybersecurity are not the enemy of innovation.” Director ofFinCEN Associate Director of Enforcement and Compliance speaking at Chainanalysis Links Conference “The Intersection of Cryptocurrencies and National Security”
In this edition, we highlight class action law suits as well as regulatory developments. In the blockchain space, the class action attorneys seem as active as the regulators. Remember to prepare for litigation as you run your compliance and governance programs. This month, in the case against Uniswap, plaintiffs claim users would have been protected from fraud if Uniswap was a regulated entity. i.e., if it was required to prevent fraudulent transactions. The claims focus on Uniswap’s collection of fees for each transaction without regard to culling out fraud on the “exchange”.
SEC and Other Enforcement Actions
What is a Communication System: Bloomberg L.P and Bloomberg Tradebook presented their comments to the SEC Amendment to Exchange Act Rule 3b-16 regarding expansion of Regulation ATS, NMS stock and other securities and the rule regarding the definition of Exchange. The Bloomberg comment letter is important and helpful advocacy for fintech firms. Soon after they were posted, the SEC extended the comment period for new rule.
Cyber on Top Again: SEC Enforcement Division allocated 20 additional positions to the SEC Crypto Assets and Cyber Unit. Security is still a top concern!
YOUR COMPLIANCE & RISK PROGRAM
Transparency Benefits: NY Dept of Financial Services issued new Virtual Currency Guidance noting that although virtual currency presents compliance challenges, it conversely “allows a historical view of a virtual currency transmission between wallet addresses, providing the opportunity for greater visibility into transaction lineage than is typically found with traditional, fiat funds transfers”
OCC Consent Order: AML Programs remain the linchpin for blockchain compliance. The OCC consent order against Anchorage highlights the focus on a strong written and formal program as agreed in any supervisory agreement.
What if developments in crypto could transform how we approach centralized compliance? Read this article from NASDAQ and our founder.
Regulatory focus across the digital asset market is increasing in a bid to fight and prevent financial fraud, but nothing substantial has been achieved thus far.
As an advocate for behavioral incentives over regulation by enforcement, I’m also focused on efficient, effective, and sustainable compliance and governance programs. I spend much of my time eliminating bureaucracy and dreaming about eliminating rules and regulations that can’t be aligned with a reasonable rationale and return on investment.
The recent regulatory focus on enforcement aimed at digital asset projects has me wondering if we are missing an opportunity. By way of example, the SEC’s recent budget request for fiscal year 2023includes an additional $240 million for enforcement, mainly for digital (crypto) assets purportedly to prevent fraud and bring enforcement cases against fintech start-ups and others that don’t follow applicable securities laws.
Would we use the same approach if crypto was the solution, not a hindrance, to fighting fraud?
The current enforcement approach could be missing the forest for the trees and remaining loyal to traditional patterns without truly questioning their efficiency and whether they are getting the job done.
How are we doing with traditional governance and compliance programs in fighting fraud?
The transparency international corruption perception index (CPI) suggests that compliance and governance programs fail to eliminate fraud despite all the money and effort to fight fraud within a traditional corporate structure.
With no meaningful improvement in the last decade and over 50% of countries receiving a failing CPI grade for fighting corruption and fraud, the centralized approach, with compliance officers designing and testing compliance programs and continuously asking the business to engage and build a tone or culture of compliance, is not delivering ROI.
Instead, many compliance officers struggle to align incentives and gain collective ownership to report and solve governance gaps. We continue to see corrupt corporate behavior at some of the world’s most successful companies.
Many compliance officers who design and run SEC-compliant governance programs will tell you it is a perpetual challenge to engage an organization in fighting fraud, owning good governance, or acknowledging the duty to protect all the stakeholders.
With the recent focus on the enforcement of digital asset projects and their role in facilitating fraud, it feels like it’s an opportune time to pause and consider whether there is an increase in scams or just a perception of a rise. Many in the digital asset space would agree that the organizations or projects do not want to perpetuate or facilitate fraud. Instead, they want to have informed users who can transact without cybersecurity thefts and with informed risk-taking, as Secretary Yellen covered in her recent speech about President Biden’s Administrative Order.
Still, the element of innovation that can successfully and more easily engage all stakeholders in governance and compliance should receive commensurate attention to fraud risk.
The demand for digital assets, new technology, and community involvement via Discord, DAOs, smart contracts, and more show the opportunity to bootstrap newly aligned incentives and innovative infrastructure into a fresh compliance and governance paradigm. This paradigm shift could seamlessly leverage engagement, transparency, and collective ownership, not just for the digital assets project but also in tackling fraud.
For instance, gatekeepers or compliance officers do not need to ask the organization to get involved with decentralized governance. With a blockchain ecosystem, there is a common understanding and social contract that the engagement of all stakeholders is valued and crucial to the organization’s viability.
Additionally, compliance officers in the digital assets space can leverage technology and align incentives to minimize the time and the effort needed to ferret out issues on their own as required under traditional norms. Rather than continue to rely on a centralized audit function, whistleblower programs, and governance-by-policing, they can use the blockchain innovations to imbed behavioral incentives that use the momentum of digital assets to prevent fraud.
With this new paradigm of decentralized governance and compliance, there is an opportunity for self-reporting by stakeholders, whether personnel, token holders, and community members. This activity can effectively replace the reliance on resource intensive audits and enforcement that seems to be most effective only after troubling cultural patterns are immutable and stakeholder harm occurs.
Blockchain projects – with built in incentives to report issues early – can be leveraged as an important alternative to traditional centralized compliance and governance programs. As we consider the CPI statistics as well as increasing budgets for regulatory enforcement teams (the SEC is asking for 133 additional enforcement employees), one wonders whether that is a winning solution.
Beth Haddock
A board member, trusted expert and strategic adviser for growing blockchain and fintech leaders. Beth serves as a bridge between traditional and cutting-edge technologies as a trustee and chair of the Compliance and Risk Committee for yen and USD pegged stablecoins, as a chief legal officer for a fintech platform owned by global giant Franklin Templeton and a strategic advisor to a global DeFi platform.
A founder and Managing Partner of Warburton Advisers, Beth provides governance and regulatory advisory services covering business development, data protection, digital and blockchain products, M&A and ESG investments. She has also developed a patented regulatory technology, is the author of Triple Bottom- line Compliance: How to Deliver Protection, Productivity and Impact and the host of the podcast “What’s Ethical.”
Beth has over 25 years of international C-suite experience and understanding of financial market regulation, compliance investigations, risk management and investment management (IM). As the former Head of Compliance at Brown Brothers Harriman (BBH), a global custody bank with over $4.7 trillion in assets, she successfully led initiatives including service center expansion in Europe, efforts to secure strategic funding and the compliance program redesign.
Beth served as BBH’s Global Chief Compliance Officer (CCO) for the ’40 Act funds, broker-dealer and investment advisor through several material events including crisis related to Madoff, Lehman Brothers and subprime and money market valuations. She also served as the ranking attorney for the ABA Securities Association Lawyers Committee lobbying for the industry on Capitol Hill.
Before becoming the Head of Regulatory Affairs, Beth rebuilt the compliance program as CCO for Guggenheim Investments, which managed more than $200 billion in capital covering 10 different investment sectors and ‘40 Act and private funds.
Beth also held legal and regulatory positions on Capitol Hill and AXA Financial where she led the compliance initiative for M&A, was awarded a global innovation award for her work transforming the 7000+ salesforce from agents to fiduciaries, completed a multi-year development program in Europe and served as Corporate Secretary to the AXA Advisors Board of Trustees.
Beth previously served as an independent director, Corporate Secretary and member of the Nominating and Governance Committee for the Brooklyn Music School and the MUSE Academy. She was also a member of the Board of Trustees for Flat World Partners, an impact investing firm.
Beth currently serves as independent director to GMO-Z.com Trust Company, a subsidiary of a publicly-traded Japanese tech conglomerate and issuer of stablecoins. A respected chair of the Compliance Committee and member of the Audit Committee, she brings deep knowledge of AML, financial technology and regulatory trends with her first-hand experience of crisis management and regulation.
She serves as advisor to Balancer Labs, a DeFi platform, where she is laser-focused on value-added sustainable governance for the DAO and the defi community.
Beth is Chair of the National Society of Compliance Professionals’ Blockchain and Fintech Roundtable and member of the IM Committee for the NYC Bar Association. Beth is also a member of the Advisory Board and Nominating Committee for the non-profit Good Sports.
Beth earned a BA in Economics from Bucknell University, a JD from The Catholic University of America and executive program credentials from Yale University (Sustainability as a Business Enabler)), University of Virginia, Darden (Leadership) and University of California, Berkeley (Sustainable Capital & ESG).
New York, New York • 917-455-6570 • beth@warburtonadvisers.com • linkedin.com/in/bethhaddock
