Compliance

Below are the 5 takeaways from the SolarWinds case where a CISO was held personally liable for fraud…

1. Culture & a sub-certification process for government filings is important

CISO at the time signed the sub-cert SolarWinds’ executives relied on. The CISO was also the “approver” and accountable for the Security Statement on the public website. The Statement included claims about relying on a secure development lifecycle (SDL). The SEC alleges several employees knew about inadequate disclosures & misrepresentations in the filings and website and they willingly participated in the cover-up or failed to take action to fix the public statements.

2. Internal communications can make a case for regulators

The facts showed many communications re: concerns including one “Well, I just lied” about a failure to disclose issues to a client. The communications seemed to be mostly within the CISO’s department.

3. A disclosure committee can be helpful

The SEC alleged the risk disclosures were too generic & hypothetical especially because known risks were not disclosed. A disclosure committee can help avoid stale disclosures.

4. Gatekeepers have an important role

It appears as though the board & lawyers did not detect or prevent the failure to disclose/inadequate disclosures. With smart inquiry, I wonder if some of the issues could have been mitigated.

SolarWinds had government clients that were harmed. As a government contractor, adequate disclosure of security incidents should be a top issue because of anticipated enhanced scrutiny & the nature of SolarWinds business as an expert offering cybersecurity products.

There were several failures of security controls including non-compliance with the NIST Framework. Why wasn’t this discovered by third-party audits and/or internal audit tests of the Company’s cybersecurity program?

5. Insiders need to carefully consider when to exercise stock options

The SEC claims the failure to disclose was tied to the CISO’s self-interest in keeping SolarWinds’ stock price inflated.

Link to the full case: SEC Charges SolarWinds and Chief Information Security Officer with Fraud, Internal Control Failure

1. Introduction

A bear market can be a clear test of resiliency. We are seeing some blockchain projects struggling to pass that stress test. Celsius halts withdrawals; Rari goodbye & nod to predatory tactics; Babel suspends redemptions & withdrawals But we also see successful white hat hacks that raise the potential for more holistic resilience across web3 projects. DeFi Attack Averted Surprisingly, these ethical hacks resemble risk and compliance controls in heavily-regulated businesses, but they are more effective because of timing. Instead of a centralized gatekeeper trying to cajole a team’s commitment to risk mitigation, the power of wide engagement in DAOs allows behavioral incentives to be more intuitive and effective with less resistance.

For sustainable growth in web3, let’s adopt a behavioral incentive approach for all governance, risk and compliance (GRC) matters, not just cyber security. Incentivizing self-reporting by aligning everyone with the interests of the community (a “white hat approach”), at a minimum, will more clearly separate the bad actors and innovators. A framework for DAOs is crucial in order to align behavioral incentives, so web3 projects do not repeat the inherent dysfunction of traditional GRC programs. Action is needed now to ensure the framework fits the new ethos and can refute increasing claims by regulators and litigants that a layer of traditional controls should be mandated for web3 projects. One recent example is the debate about how to regulate Tether. Let’s use decentralized consensus and collaboration to incentivize better business conduct.

II. Perils of Traditional GRC and Wait and See Strategy

Once there is a decision about business priorities and the legal entities to support them, the next step is to decide if a project will build a GRC program. After funding is secured, regardless of the size of a project or its potential treatment as a financial product, it’s time to understand threats to the project’s viability. Viability threats can be vast, from operational risks that cause errors or difficulty recruiting and retaining talent, to regulatory and legal risks that impact whether the project could be halted or distracted with government inquiries. Yet, most projects do not proactively address regulatory and operational risks after establishing their legal and business framework. With a bear market and increasing concerns about protection of users, many regulators and legislators are considering how to regulate web3, particularly how to retrofit traditional GRC requirements. SEC Chair Gensler speech; Sec Yellen remarks; New EU-wide regulation; New crypto framework in Brazil; New Singapore crypto law

A Web3 project has at least two choices:

1. Wait and see whether government requirements apply and build a framework then, taking on all the material civil and criminal risks that comes along with a wait and see strategy, or
2. Build a tailored framework that uses the same ethos as ethical hackers and permits the ecosystem to choose its priorities.

If the majority of the web3 projects opt for the wait and see approach, web3 would arguably lose an opportunity to build a better GRC paradigm. Businesses would accept the heightened risk that they need to build a traditional GRC program into the DAO and/or that they are not prepared for inevitable changes to tax, legal and regulatory requirements.

The traditional GRC framework has a mixed record on effectiveness. The transparency international corruption perception index (CPI) indicates that despite all the money and effort to adhere to legal and regulatory requirements designed to fight fraud, traditional GRC programs are failing to eliminate fraud. With no meaningful improvement in the last decade and over 50% of countries receiving a failing CPI grade for fighting corruption and fraud, the centralized approach is not delivering a ROI. Transparency International CPI Instead, many compliance officers struggle to align incentives & gain collective ownership to report and solve governance gaps. We continue to see corrupt corporate behavior at some of the world’s most successful companies. FCPA Violation 120 mil in fines; Retirement Account Fraud; Fraudulent Bond Sale

The new GRC paradigm is poised to leverage the power of decentralization and incentives. For example, compare white hat (ethical) hackers protecting against cyber threats to whistleblowers allegedly fighting corruption and theft. Whistleblower reporting is required under several existing regulatory regimes to incentivize self-policing. EU Whistleblower Directive; SEC Whistleblower and Bounty Program; Anti-corruption Whistleblower Cases. However, whistleblower reporting within businesses is notoriously ineffective at preventing corruption before it occurs and instead is reserved for bringing the problem to the public after the fact. Facebook Whistleblower

There is a strong rationale for not waiting for new regulatory mandates and instead building a Web3 GRC framework that uses the same ethos as ethical hackers to proactively self-govern. This will allow the ecosystem to choose its own priorities and make its own decisions.

III. New GRC Framework

In order to maintain a sustainable peer-to-peer ecosystem, the members need to build trust and deliver on transparent governance. A sustainable GRC program will incentivize addressing conflicts and issues before they threaten the viability of the project. SushiSwap CTO Resigns; SushiSwap Feud

Guiding principles for sustainable governance are:

• Agile & Iterative — Expect changes, build in flexibility and a modular approach that can be adjusted when new risks surface
• Disclosures & Transparency — Assume conflicts and risks should be known, so users are informed
• Anti-Fraud & Consumer Protection — Prioritize well-being of users and adopt a guardian lens
• Caution & Escalate — Create the white hat approach, build in self-reporting incentives and avoid whistleblower pitfalls

A sustainable GRC program should adopt 5 pillars

1.  Know the environment and prepare

As with pen testing or hackathons — expect inquiries from government authorities and litigants. Prepare with an advisory bench and narrative of the project. The narrative should include in and out of scope features to tell the project’s story before being asked to defend the story to the government or litigants. Hire a “white hat” advisor to audit your performance against these pillars and guiding principles.

 2. Create and manage a road map

Create a practical risk inventory based on current developments and maintain it. Assess the relevance of the risks to the project and prioritize drafting a project list to address the top risks. Use the inventory as a confidential road map with use cases and examples to size risks.

 3. Create escalate and questions forum

Create a GRC private Slack channel, Discord, Team meetings and Q/A. Make it easy to ask questions and escalate concerns. Consider building a path where reporting is anonymous to remove any hesitancy. Set a record retention policy to make sure you retain documents you need and create a rational destruction schedule to balance data sharing with security risks. For instance, corporate documents should be retained for the life of the organization, whereby Slack and text messages may contain personal information and should have a short retention period to prevent data breaches.

  4. Have a public relations & communications strategy

Set standards for community, project and personal opinions. Set guidelines to avoid shilling and conflicts of interest and provide examples of balanced communications. Consider

• creating an understandable risk mantra/disclosure on public communications such as “Be informed & accept the risks”, “Consider before you act”, “Read our forum and blogs for more info” and then create an FAQ,
• the experience of the target audience as you write,
• sourcing a third party, when making projections or promissory statements,
• avoiding investment terms unless there’s an expectation of investment oversight from the government.

  5. Develop protocols for managing GRC

Rather than creating protective traditional legal documents, create short, accessible standards for the team to follow. Be strategic about accepting certain risks, create a risk plan to address short, medium and longer-term issues.

Expect to change the GRC program and adopt 4 north star attributes

1. Support and Affirm Alignment: Draft a Code of Conduct, Terms of Use and UI Disclosures
2. Global Approach: Adopt a borderless strategy, but focus on the jurisdiction of a concentration of users, prevent criminal liability & rely on jurisdictions with guidance — DOJ Criminal Division — Evaluation of a Compliance Program
3. Tech Company Policies: Orient your GRC efforts for a technology company. Draft a Sanctions, Privacy and Cookies policy and procedures
4. Anti-Fraud Efforts: Include an anti-fraud mindset within product development perhaps as part of user experience efforts. Mitigate risks with a consistent focus on serving the interests of users, community and ecosystem. Draft listing standards, implement user protection with bad actor blocking, focus on cyber security, follow a marketing/business development review process before content is posted on public forums.

IV. Conclusion

Resilience of a web3 project will not just entail fighting TradeFi and the government’s perception of risks, it is also addressing concerns from within the community. “Most crypto projects are designed with extremely predatory tactics that hurt retail. Most crypto projects have 0 intention of doing anything besides dumping on retail.” Founder Rari Capital

Proactive GRC shows a commitment to responsible growth, rejecting the narrative that predatory tactics are pervasive. The Association of Digital Asset Markets code; Coindesk self-imposed code of ethics Adopting the five pillars of a GRC framework now is a low friction way to build resiliency and position your project for growth. Current opportunities for web3 are boundless which makes a GRC framework even more crucial. 300 million valuation for the metaverse’s largest construction company.

Reach out if you are interested in a confidential GRC assessment. Warburton offers assessment services including advice on options and best practices and a set of template documents.

THE ENVIRONMENT

SEC and Other Enforcement Actions

YOUR COMPLIANCE & RISK PROGRAM

THE ENVIRONMENT

In this edition, we highlight class action law suits as well as regulatory developments. In the blockchain space, the class action attorneys seem as active as the regulators. Remember to prepare for litigation as you run your compliance and governance programs. This month, in the case against Uniswap, plaintiffs claim users would have been protected from fraud if Uniswap was a regulated entity. i.e., if it was required to prevent fraudulent transactions. The claims focus on Uniswap’s collection of fees for each transaction without regard to culling out fraud on the “exchange”.

SEC and Other Enforcement Actions

What is a Communication System: Bloomberg L.P and Bloomberg Tradebook presented their comments to the SEC Amendment to Exchange Act Rule 3b-16 regarding expansion of Regulation ATS, NMS stock and other securities and the rule regarding the definition of Exchange. The Bloomberg comment letter is important and helpful advocacy for fintech firms. Soon after they were posted, the SEC extended the comment period for new rule.

Cyber on Top Again: SEC Enforcement Division allocated 20 additional positions to the SEC Crypto Assets and Cyber Unit. Security is still a top concern!

YOUR COMPLIANCE & RISK PROGRAM

Transparency Benefits: NY Dept of Financial Services issued new Virtual Currency Guidance noting that although virtual currency presents compliance challenges, it conversely “allows a historical view of a virtual currency transmission between wallet addresses, providing the opportunity for greater visibility into transaction lineage than is typically found with traditional, fiat funds transfers”

OCC Consent Order: AML Programs remain the linchpin for blockchain compliance. The OCC consent order against Anchorage highlights the focus on a strong written and formal program as agreed in any supervisory agreement.

What if developments in crypto could transform how we approach centralized compliance? Read this article from NASDAQ and our founder.

Regulatory focus across the digital asset market is increasing in a bid to fight and prevent financial fraud, but nothing substantial has been achieved thus far.

As an advocate for behavioral incentives over regulation by enforcement, I’m also focused on efficient, effective, and sustainable compliance and governance programs. I spend much of my time eliminating bureaucracy and dreaming about eliminating rules and regulations that can’t be aligned with a reasonable rationale and return on investment.

The recent regulatory focus on enforcement aimed at digital asset projects has me wondering if we are missing an opportunity. By way of example, the SEC’s recent budget request for fiscal year 2023 includes an additional $240 million for enforcement, mainly for digital (crypto) assets purportedly to prevent fraud and bring enforcement cases against fintech start-ups and others that don’t follow applicable securities laws.

Would we use the same approach if crypto was the solution, not a hindrance, to fighting fraud?

The current enforcement approach could be missing the forest for the trees and remaining loyal to traditional patterns without truly questioning their efficiency and whether they are getting the job done.

How are we doing with traditional governance and compliance programs in fighting fraud?

The transparency international corruption perception index (CPI) suggests that compliance and governance programs fail to eliminate fraud despite all the money and effort to fight fraud within a traditional corporate structure.

With no meaningful improvement in the last decade and over 50% of countries receiving a failing CPI grade for fighting corruption and fraud, the centralized approach, with compliance officers designing and testing compliance programs and continuously asking the business to engage and build a tone or culture of compliance, is not delivering ROI.

Instead, many compliance officers struggle to align incentives and gain collective ownership to report and solve governance gaps. We continue to see corrupt corporate behavior at some of the world’s most successful companies.

Many compliance officers who design and run SEC-compliant governance programs will tell you it is a perpetual challenge to engage an organization in fighting fraud, owning good governance, or acknowledging the duty to protect all the stakeholders.

At the same time, many compliance officers continue to lament the centralized approach and concern for scapegoating. I’d offer that perhaps that’s why the CPI is still high – even without considering new crypto and blockchain projects.

With the recent focus on the enforcement of digital asset projects and their role in facilitating fraud, it feels like it’s an opportune time to pause and consider whether there is an increase in scams or just a perception of a rise. Many in the digital asset space would agree that the organizations or projects do not want to perpetuate or facilitate fraud. Instead, they want to have informed users who can transact without cybersecurity thefts and with informed risk-taking, as Secretary Yellen covered in her recent speech about President Biden’s Administrative Order.

Still, the element of innovation that can successfully and more easily engage all stakeholders in governance and compliance should receive commensurate attention to fraud risk.

The demand for digital assets, new technology, and community involvement via Discord, DAOs, smart contracts, and more show the opportunity to bootstrap newly aligned incentives and innovative infrastructure into a fresh compliance and governance paradigm. This paradigm shift could seamlessly leverage engagement, transparency, and collective ownership, not just for the digital assets project but also in tackling fraud.

For instance, gatekeepers or compliance officers do not need to ask the organization to get involved with decentralized governance. With a blockchain ecosystem, there is a common understanding and social contract that the engagement of all stakeholders is valued and crucial to the organization’s viability.

Additionally, compliance officers in the digital assets space can leverage technology and align incentives to minimize the time and the effort needed to ferret out issues on their own as required under traditional norms. Rather than continue to rely on a centralized audit function, whistleblower programs, and governance-by-policing, they can use the blockchain innovations to imbed behavioral incentives that use the momentum of digital assets to prevent fraud.

With this new paradigm of decentralized governance and compliance, there is an opportunity for self-reporting by stakeholders, whether personnel, token holders, and community members. This activity can effectively replace the reliance on resource intensive audits and enforcement that seems to be most effective only after troubling cultural patterns are immutable and stakeholder harm occurs.

Blockchain projects – with built in incentives to report issues early – can be leveraged as an important alternative to traditional centralized compliance and governance programs. As we consider the CPI statistics as well as increasing budgets for regulatory enforcement teams (the SEC is asking for 133 additional enforcement employees), one wonders whether that is a winning solution.

Beth Haddock

A board member, trusted expert and strategic adviser for growing blockchain and fintech leaders. Beth serves as a bridge between traditional and cutting-edge technologies as a trustee and chair of the Compliance and Risk Committee for yen and USD pegged stablecoins, as a chief legal officer for a fintech platform owned by global giant Franklin Templeton and a strategic advisor to a global DeFi platform.

A founder and Managing Partner of Warburton Advisers, Beth provides governance and regulatory advisory services covering business development, data protection, digital and blockchain products, M&A and ESG investments. She has also developed a patented regulatory technology, is the author of Triple Bottom- line Compliance: How to Deliver Protection, Productivity and Impact and the host of the podcast “What’s Ethical.”

Beth has over 25 years of international C-suite experience and understanding of financial market regulation, compliance investigations, risk management and investment management (IM). As the former Head of Compliance at Brown Brothers Harriman (BBH), a global custody bank with over $4.7 trillion in assets, she successfully led initiatives including service center expansion in Europe, efforts to secure strategic funding and the compliance program redesign.

Beth served as BBH’s Global Chief Compliance Officer (CCO) for the ’40 Act funds, broker-dealer and investment advisor through several material events including crisis related to Madoff, Lehman Brothers and subprime and money market valuations. She also served as the ranking attorney for the ABA Securities Association Lawyers Committee lobbying for the industry on Capitol Hill.

Before becoming the Head of Regulatory Affairs, Beth rebuilt the compliance program as CCO for Guggenheim Investments, which managed more than $200 billion in capital covering 10 different investment sectors and ‘40 Act and private funds.

Beth also held legal and regulatory positions on Capitol Hill and AXA Financial where she led the compliance initiative for M&A, was awarded a global innovation award for her work transforming the 7000+ salesforce from agents to fiduciaries, completed a multi-year development program in Europe and served as Corporate Secretary to the AXA Advisors Board of Trustees.

Beth previously served as an independent director, Corporate Secretary and member of the Nominating and Governance Committee for the Brooklyn Music School and the MUSE Academy. She was also a member of the Board of Trustees for Flat World Partners, an impact investing firm.

Beth currently serves as independent director to GMO-Z.com Trust Company, a subsidiary of a publicly-traded Japanese tech conglomerate and issuer of stablecoins. A respected chair of the Compliance Committee and member of the Audit Committee, she brings deep knowledge of AML, financial technology and regulatory trends with her first-hand experience of crisis management and regulation.

She serves as advisor to Balancer Labs, a DeFi platform, where she is laser-focused on value-added sustainable governance for the DAO and the defi community.

Beth is Chair of the National Society of Compliance Professionals’ Blockchain and Fintech Roundtable and member of the IM Committee for the NYC Bar Association. Beth is also a member of the Advisory Board and Nominating Committee for the non-profit Good Sports.

Beth earned a BA in Economics from Bucknell University, a JD from The Catholic University of America and executive program credentials from Yale University (Sustainability as a Business Enabler)), University of Virginia, Darden (Leadership) and University of California, Berkeley (Sustainable Capital & ESG).

New York, New York • 917-455-6570 • beth@warburtonadvisers.com • linkedin.com/in/bethhaddock

THE ENVIRONMENT

Developments to watch. Senator Warren and others introduced new legislation to meet a purported need to close the gap in sanctions compliance. Digital Asset Sanctions Compliance Enhancement Act of 2022 A great summary on the debate about whether digital assets are a material conduit for economic sanctions. The EU passed a proposal to eliminate anonymous crypto transactions. Parliament Vote to Require AML for Self-Custody Wallets etc.

Responsible Innovation: President Biden Issues Executive Order Detailing National Policy Objectives for Digital Assets. President Biden issued an Executive Order (E.O.) calling for studies and reports within approximately 6 months. The EO was met by many as a nod to supporting smart regulation of blockchain projects. The E.O. itself does not propose additional requirements or regulations for digital assets. But rather, it brings to light the specific regulatory approaches for these assets.

Sustainability issues to track with blockchain projects: The EU vote on bitcoin mining provided a strong belief that crypto currency was not going to be a phase; rather, certain digital assets may be here to stay. The issue being discussed is the environmental impacts that are caused from crypto. The EU was determining if the activity of crypto mining was sustainable or not which could change the way that crypto may be approached by individuals due to global energy consumption.

SEC and Other Enforcement Actions

Digital Assets Make the List Again. For the 3rd year, digital assets and emerging technologies are included in 2022 SEC exam priorities. The exam focus for digital assets includes custody arrangements, assessment of all aspects of transactions, duty of care of understanding the products, review of compliance practices, risk disclosures and operational resiliency practices.

FINRA issues updated guidance & request for comment. Not a big surprise, FINRA treats crypto futures/crypto as “complex products” so that retail investors receive enhanced protections. “Mutual funds and ETFs that offer strategies employing cryptocurrency futures. In addition to their exposure to cryptocurrency, which could itself be considered complex, these funds track futures contracts rather than the underlying cryptocurrency.” FINRA requesting comment on complex products queries until May 9.

No Permission to Operate. Binance stops business in Ontario.

YOUR COMPLIANCE & RISK PROGRAM

More Institutional Interest in Digital Assets. Digital assets continue to be more relevant for compliance officers in traditional financial services firms. BlackRock filed with the SEC to launch the iShares Blockchain and Tech ETF which would allow the tracking of index comprising companies involved in development and deployment of crypto technologies in the US and abroad.

Sample Disclosures. The EU Financial Authorities offer 10 points of disclosure for digital assets that compliance officers can use for digital asset platforms. i.e., Disclosures cover topics such as warning consumers they are accepting speculative risks with loss of funds, price and liquidity are volatile and unpredictable and typical government protections re: complaints are not available.

Gift Policy Update. New Jersey Assembly Bill 3287 is a good reminder to review compliance policies and consider updating them to include this new asset class for gift limitations, prohibitions and pre-clearance requirements. The bill prohibits public officials from accepting virtual currency and non-fungible tokens as gifts.

THE ENVIRONMENT

SEC and Other Enforcement Actions

YOUR COMPLIANCE & RISK PROGRAM