Category Archives: Financial Reporting

Accounting Firm, Financial Reporting, Law Firm, Privacy, Risk Management, Small Business

File Your Beneficial Ownership Information Report

Found in the nearly 1,500-page National Defense Authorization Act of 2021, is the 21-page Corporate Transparency Act (“CTA”), 31 U.S.C. § 5336.  The CTA currently requires most entities incorporated or doing business under State law to disclose personal stakeholder information to the Treasury Department’s criminal enforcement arm, Financial Crimes Enforcement Network (“FinCEN”), including Tax ID numbers, date of birth, government identification number and copies of government identification documents of all beneficial owners and company state formation applicants (collectively a Beneficial Ownership Information Report or “BOI Report”).

According to Congress, this law is intended to prevent financial crimes such as money laundering and tax evasion committed using shell corporations.  The relevant Constitutional question recently put before an Alabama federal court was whether Congress’ broad powers to regulate commerce, oversee foreign affairs and national security, and impose taxes and related regulations were enough to power such a massive information grab. 

In a 53-page opinion, Judge Liles C. Burke of the Northern District of Alabama answered this question in the negative and struck down the CTA as unconstitutional.  See Mem. Op. at 3 (“Because the CTA exceeds the Constitution’s limits on the legislative branch and lacks a sufficient nexus to any enumerated power to be a necessary or proper means of achieving Congress’ policy goals, the Plaintiffs are entitled to judgment as a matter of law.”).   As recognized by Judge Burke, there was no comparable State or federal law to the CTA.  Mem. Op. at 35.

As a result of Judge Burke’s March 1, 2024 ruling – which began its appellate journey on March 11, 2024, all the plaintiffs in that case are for the time being exempt from filing a BOI Report – including the over 65,000 businesses and entrepreneurs located in all 50 states who are members of Plaintiff National Small Business Association (“NSBA”).  As for everyone else who may be a Reporting Company, the CTA very much still applies.

By way of background, FinCEN issued a final rule implementing the CTA on September 29, 2022 and made that rule effective as of January 1, 2024.  87 Fed. Reg. 59498.  Because only the plaintiffs in the Alabama action are safe from the CTA’s reporting reach all other businesses operating in the United States who are considered Reporting Companies will have to comply with the Rule. 

More specifically, the CTA requires disclosures from “reporting company[ies],” defined as “corporation[s], limited liability company[ies], or other similar entit[ies]” that are either “(i) created by the filing of a document with a secretary of state or a similar office under the law of a State or Indian Tribe, or (ii) formed under the law of a foreign country and registered to do business in the United States.” 31 U.S.C. § 5336(a)(11)(A). The CTA exempts twenty-three kinds of entities from its reporting requirements, including banks, insurance companies, and entities with more than twenty employees, five million dollars in gross revenue, and a physical office in the United States. 31 U.S.C. § 5336(a)(11)(B).  In other words, this statute not only targets shell companies involved in criminal conduct or fraud, it expressly hits most small business owners in the country as well.

“FinCEN estimates that there will be approximately 32.6 million reporting companies in Year 1, and 5 million additional reporting companies each year in Years 2–10.”   87 Fed. Reg. at 59549. The CTA requires these millions of entities to disclose the identity and information of any “beneficial owner.” 31 U.S.C. § 5336(b)(1)(A). A beneficial owner is defined as “an individual who . . . (i) exercises substantial control over the entity; or (ii) owns or controls not less than 25 percent of the ownership interests of the entity,” with some exceptions for children, creditors, and a few others. 31 U.S.C. § 5336(a)(3).

For new entities formed or operating in the United States after January 1, 2024, the CTA requires them to disclose the identity and information of both Beneficial Owners and “Applicants,” defined as “any individual who files an application to form a corporation, LLC, or other similar entity under the laws of a State or Indian Tribe; or registers [a foreign entity] to do business in the United States.” 31 U.S.C. § 5336(a)(2).  Such filings must be made within 90 days of the relevant state filings and those companies formed or operating in the United States prior to January 1, 2024 have until year end.

Reporting entities must give FinCEN a Beneficial Owner or Applicant’s full legal name, date of birth, current address, and identification number from a driver’s license, ID card, or passport. 31 U.S.C. § 5336(a)(1), (b)(2)(A).   Under the final rule, reporting entities are also required to submit an image of the identifying document. 31 C.F.R. § 1010.380(b)(1)(ii)(E). If any of that information changes, the reporting company must update FinCEN, 31 U.S.C. § 5336(b)(1)(D), and FinCEN retains Applicant and Beneficial Owner information on an ongoing basis for at least five years after the reporting company terminates. 31 U.S.C. § 5336(c)(1).  Determining whether someone is a Beneficial Owner can be somewhat difficult given it requires a determination of who “has substantial influence over important decisions made by the reporting company” among other potentially vague criteria.  31 C.F.R. § 1010.38 (d)(1)(i)(C).

A willful provision of false or fraudulent beneficial ownership information or failure to report “complete or updated beneficial ownership information to FinCEN” by “any person” is punishable by a $500 per day civil penalty and up to $10,000 in fines and 2 years in federal prison, 31 U.S.C. § 5336(h)(1), (3)(A); a knowing and unauthorized disclosure or use of beneficial ownership information by “any person” is punishable by a $500 per day civil penalty, along with a $250,000 fine and 5 years in federal prison, 31 U.S.C. § 5336(h)(2), (3)(B); and a knowing and unauthorized use or disclosure while violating another federal law “or as part of a pattern of any illegal activity involving more than $100,000 in a 12-month period” by “any person” is punishable with a $500,000 fine and 10 years in federal prison, 31 U.S.C. § 5336(h)(3)(B)(ii)(II).

As recognized by Judge Burke, “[t]he ultimate result of this statutory scheme is that tens of millions of Americans must either disclose their personal information to FinCEN through State-registered entities, or risk years of prison time and thousands of dollars in civil and criminal fines.”  Mem. Op. at 8.  Given the importance of this information, FinCEN already compels banks and other financial institutions to obtain nearly identical information from State entity customers and provide it to FinCEN.  

More specifically, FinCEN’s 2016 Customer Due Diligence rule requires “covered financial institutions” to “identify and verify beneficial owners of legal entity customers.” 31 C.F.R. § 1010.230(a).   As with the CTA, this rule defines a “legal entity customer” as “a corporation, limited liability company, or other entity that is created by the filing of a public document with a Secretary of State or similar office, a general partnership, and any similar entity formed under the laws of a foreign jurisdiction that opens an account,” unless the entity fits into one of sixteen exemptions – seven less than the CTA exemptions. 31 C.F.R. § 1010.230(e)(1)-(2).

The CDD rule also defines beneficial owners in the same manner: “Each individual . . . who owns, directly or indirectly, 25 percent or more” of the entity; has “significant responsibility to control, manage, or direct a legal entity,” including “a Chief Executive Officer, Chief Financial Officer, Chief Operating Officer, Managing Member, General Partner, President, Vice President, or Treasurer)” and “[a]ny  other  individual  who  regularly  performs  similar  functions.”  31 C.F.R. § 1010.230(d)(1)-(2).

In other words, FinCEN’s CDD rule and the CTA provide FinCEN with nearly identical information.  The CTA itself acknowledges the similarity. See 31 U.S.C. § 5336(b)(1)(F) (requiring the Secretary of the Treasury to promulgate regulations that “collect [beneficial owner and applicant] information . . . in a form and manner that ensures the information is highly useful in . . . confirming beneficial ownership information provided to financial institutions.” (emphasis added).  See also Pub. L. 116-283 § 6402 (6)(B) (134 STAT. at 4604 – 4605) (“It is the sense of Congress that . . . [collection of] beneficial ownership information . . . [will] confirm beneficial ownership information [already] provided to financial institutions.”).

According to FinCEN’s compliance with the Paperwork Reduction Act of 1995: “The estimated average burden associated with this collection of information from Reporting Companies is 90 to 650 minutes per respondent for reporting companies with simple or complex beneficial ownership structures, respectively. The estimated average burden associated with Reporting Companies updating information previously provided is 40 to 170 minutes per respondent for reporting companies with simple or complex beneficial ownership structures, respectively.”

Given the appellate route will likely take well over a year to resolve and the NSBA plaintiffs no longer have any injury to adjudicate – which might have expedited an appeal if they had, it is incumbent on business owners to take the CTA at its face value and comply with the implemented regulations of FinCEN.

Blockchain, Digital Assets, DLT, Financial Reporting

NYAG Notches CoinEx Crypto Victory

On June 15, 2023, the New York Office of Attorney General (NYOAG) announced a Stipulation and Consent Order providing for “restitution” amounting to $1,172,971.50 from Vino Global Limited d/b/a CoinEx (CoinEx) and $626,133.88 in penalties to the state because CoinEx allegedly “unlawfully represented itself as an exchange” in violation of New York’s Martin Act.   The underlying lawsuit against CoinEx was filed by the NYOAG in February.  In response to this lawsuit, the Hong Kong-based CoinEx immediately informed its US-based clients that it would completely withdraw its exchange platform and services from the United States. 

In her press release, the NYAG states:  “Unregistered crypto platforms pose a risk to investors, consumers, and the broader economy.”  Of note, no specific NY investor is referenced as being a victim of CoinEx’s activities in New York state.  Rather, a NYOAG investigator created “an account with CoinEx using a computer with a New York-based IP address to buy and sell digital tokens although CoinEx was not registered with the state.”  Moreover, the “restitution” obtained by the NYOAG simply required that each investor “be refunded the amount of cryptocurrency or the cash equivalent of the cryptocurrency they held in their accounts as of April 25, 2023.” 

In other words, the customers of CoinEx got back what was in their accounts and not any monies lost when using the exchange services of CoinEx.  Indeed, CoinEx was already voluntarily refunding and closing out U.S. accounts months earlier. CoinEx was also required to cease and desist from servicing New York customers and was required to implement geoblocking to prevent New York IP addresses from accessing their platform – something CoinEx was already planning on doing for all potential U.S. customers.

To that end, the NYOAG press release mentions that “CoinEx is also prohibited from creating any new accounts for U.S. customers and existing U.S. customers can only withdraw their crypto from the platform.”  This statement is interesting for two reasons.  First, CoinEx by its own accord discontinued providing services to U.S. customers in February – when the NYOAG lawsuit was first filed and long before the recent resolution of this lawsuit.  Second, the NYOAG has no means to supplant the SEC’s authority or to prohibit exchanges from operating in other states.   

Even though it may not be true, it certainly looks good from a PR perspective to say CoinEx was “prohibited” from operating in the U.S. based solely on the NYOAG’s enforcement action.  Interestingly, the NYOAG’s crypto efforts were never strictly limited to “protecting” investors.   In March 2022, the NYOAG issued a taxpayer notice to virtual currency investors and their tax advisors to accurately declare and pay taxes on their virtual investments. 

The recent actions of the SEC coupled with those of New York State – the undisputed financial capital of the country if not the world, point in one direction, namely that the centralized financial institutions that currently control most levers of the financial markets have voted against decentralization and it is now up to the regulators to enforce such decision.

Blockchain, Digital Assets, DLT, Financial Reporting

SEC Declares War on Crypto

On June 6, 2023, the Securities and Exchange Commission filed a 101-page Complaint against the US’s leading crypto exchange, Coinbase that distills to a single sentence:  “Coinbase has never registered with the SEC as a broker, national securities exchange, or clearing agency, thus evading the disclosure regime that Congress has established for our securities markets.” Complaint ¶ 1. A day earlier, the SEC filed a much more aggressive Complaint against Binance – the world’s largest crypto exchange, seeking a “preliminary injunctive relief, including, but not limited to, asset freezes, a verified accounting, repatriation of assets, expedited discovery, preservation of documents and information, prohibition on the destruction of evidence, the appointment of a receiver” as well as disgorgement of profits and fines.

The SEC claims that Coinbase trades in digital assets with “the characteristics of securities” and references billions of dollars’ worth of assets as investment contracts under the famous Howey test.    The SEC lamely begins by reciting the efforts by Coinbase to demonstrate its compliance with the Supreme Court’s Howey test.  Complaint ¶¶ 103 – 110.  The SEC also tries to use against Coinbase the fact that the company raised in its SEC disclosures that the assets made available for trading could possibly be considered investment contracts – in effect turning Coinbase’s indisputable instance of compliance with Securities laws against the company.  See Complaint ¶ 112.

Looking to bury deep its dagger into the heart of the crypto industry, the SEC considers the following investment contracts:  “SOL, ADA, MATIC, FIL, SAND, AXS, CHZ, FLOW, ICP, NEAR, VGX, DASH and NEXO NEXO – (the “Crypto Asset Securities”)”.  Complaint ¶ 114.  All totaled, these digital assets have a value of $37 billion.  Similarly, the SEC’s Binance Complaint also focuses on some of these assets.

The SEC also complains that Coinbase’s Staking Program as applied to two of the above assets – ADA and SOL, also gives rise to the sale of unregulated investment contracts.  See Complaint ¶ 339.  On the very same date as the SEC’s Complaint, the NJ AG’s Office issued a Summary Cease and Desist Order against Coinbase for violations of New Jersey’s Securities Laws and corresponding penalties of $5 million in connection with Coinbase’s staking offerings.

The SEC’s targeted digital assets are tied to leading networks and platforms in this space – Solano (SOL), Cardano (ADA), Polygon (MATIC); as well as the leading means of powering the IPFS protocol necessary for the storage of media/data outside of a blockchain – Filecoin (FIL); metaverse player The Sandbox (SAND) and the leading “play to earn” platform Axie Infinity (AXS).  Interestingly, NEXO can only be traded using the Coinbase Wallet and the FLOW coin of Dapper Labs is already subject to a securities lawsuit.  Whereas the SEC targeted dominant services and their tokens – comprising the bulk of its Complaint, the SEC ignores many others with arguably a more visible Howey problem, e.g., Civic Technologies, Inc. with its CVC utility token.

Unlike with Binance, the SEC does not look to freeze Coinbase’s assets.  Nearly as bad, however, the SEC does seek injunctive relief against Coinbase that would prevent its current business from going forward as well as Coinbase’s disgorgement of profits and the assessment of fines.  In effect, the SEC is looking to shutter two of the largest crypto exchanges as well as obtain a ruling that the most important crypto monetization tools in existence today are improperly fueled using unregulated securities. 

It’s not exactly clear why the SEC is looking to kill the crypto industry or at drive it from the United States but one thing is certain – that is exactly what might happen if all the allegations made by the SEC turn into favorable rulings.  One potential canary in the coalmine is the Ripple lawsuit filed by the SEC a few years back that will soon become ripe for adjudication.  It can only be hoped that this very-well funded company makes some inroads with its defense that can spill over to Coinbase.

Accounting Firm, Blockchain, Digital Assets, DLT, Financial Reporting, NFTs, Risk Management

The NFT Growth Tax

Between Amazon launching next month its NFT Marketplace – tentatively called the “Amazon Digital Marketplace”, Sotheby’s already launched high-end secondary marketplace for “digital artwork”, and Christie’s launching last year its Christie’s 3.0 – a platform allowing for fully on-chain sales that demonstrates “the auction house’s commitment to both artists and collectors in the Web3 space”, programmable digital assets/NFTs are simultaneously entering both ends of the mainstream market.     

Probably the most important takeaway from such broad initiatives turns on the fact foundational brands have decided to supplant the prior NFT free-for-all initiated by PFP projects, artists and collectors.  Despite potentially risking the same fate of Dapper Labs, Amazon will rely on a private blockchain that takes credit cards while Sotheby’s eliminates “NFTs” from the equation altogether to focus on what it calls “digital artwork” even though digital art has already been around for decades.  What is clear is that Amazon’s use of its own “brand worthy” naming convention – “Amazon Digital”, elevates rather than hinders this new ecosystem. 

Being swept aside by this establishment wave is OpenSea – the newly-displaced old guard and wild-west pioneer who likely never contemplated insider trading as a risk until a former OpenSea Manager was recently convicted of it.  Not surprisingly, OpenSea offloads tax obligations and refers its users to CoinTracker for tax calculations.  OpenSea even explicitly points out to users of the marketplace that “[y[ou are responsible for determining what, if any, taxes apply to your purchases, sales, and transfers of NFTs. If you have specific questions regarding taxes, please consult with a professional tax advisor.”  OpenSea’s sole Help Center entry regarding taxes further drives home the point:  “Users are responsible for determining what, if any, taxes apply to their purchases, sales, and transfers of NFTs. If you have questions about taxes, please consult with a professional tax advisor.”

In sharp contrast, the government is certainly rooting for reliable tax collectors such as Amazon, Christie’s and Sotheby’s to enter the NFT sandbox.  Since 2018 – when the Supreme Court overruled decades of precedent, taxation of online sales no longer depends on physical presence within a particular state.  The new guard will create the proper recipe for mass profitable usage, namely removing tech geek elements, improving user interfaces, adding brand allure, and ensuring government is happy and remaining on the right side of the regulatory fence. 

As Grace Kyne of EY informed attendees at the April 13, 2023 NFT.NYC session “NFTs and Marketplaces: Opening Pandora’s Box”, there are state-specific marketplace facilitator rules that make most marketplaces subject to state tax.  Not surprisingly, Amazon is front and center in pointing that hard fact out to its market participants: “Marketplace Facilitator legislation is a set of laws that shifts the sales tax collection and remittance obligations from a third party seller to the marketplace facilitator. As the marketplace facilitator, Amazon will now be responsible to calculate, collect, remit, and refund state sales tax on sales sold by third party sellers for transactions destined to states where Marketplace Facilitator and/or Marketplace collection legislation is enacted.”

In other words, pushing digital asset sales to Amazon is really every state treasurer’s dream.

This should not come as any surprise.  Ever since the 2019 tax year, IRS Form 1040 has included a question regarding a taxpayer’s cryptocurrency activity. In 2021, the IRS slightly broadened the scope of its inquiry:  “At any time during 2021, did you receive, sell, exchange, or otherwise dispose of any financial interest in any virtual currency?”  In 2022, the scope of the latest IRS Form 1040 broadened yet again: “At any time during 2022, did you: (a) receive (as a reward, award, or payment for property or services); or (b) sell, exchange, gift, or otherwise dispose of a digital asset (or a financial interest in a digital asset)?

In other words, the IRS expressly seeks disclosure of all digital asset transactions and not merely those involving cryptocurrencies.  The IRS now wants to know about a taxpayer’s NFT sales and any income generating activities where digital assets are received as payment.  On April 5, 2023, the IRS released its IRS Tax Tip 2023-45 which elaborated on this new position regarding a taxpayer’s obligation to report digital asset transactions – including citation to applicable supplemental forms.  By informing taxpayers of their new obligations – by way of tax forms and “tax tips”, it becomes increasingly difficult for them to argue any lack of knowledge on the topic.   The easiest approach will always be one which just assumes all realized digital asset gains are taxable.   

And, to the extent there was any ambiguity regarding more specific tax treatment of NFTs, that might soon evaporate given the IRS – in its March 13, 2023 Notice 2023-27, seeks to classify most NFTs as “collectibles” – a lesser form of asset for purposes of capital gains and other tax purposes.

Specifically, Notice 2023-27 – which seeks comments before June 19, 2023, announces the IRS’s and Treasury’s intention to issue guidance as to whether certain NFTs are “collectibles” under IRS Section 408(m).  Currently, the only available categories of “collectibles” under this section are:  “(A) any work of art, (B) any rug or antique, (C) any metal or gem, (D) any stamp or coin, (E) any alcoholic beverage, or (F) any other tangible personal property specified by the Secretary for purposes of this subsection.”  See 26 USC § 408(m)(2).  The IRS recognizes that NFTs do not presently constitute any of the above – including “art” given an NFT is not the art itself, it is a digital file pointing to the actual digital art typically found using an IPFS gateway such as Pinata.  Moreover, Section (F) expressly references “tangible personal property” so that catchall also does not squarely fit. 

While waiting for comments, the IRS will deploy a “look-through” analysis:  “Under the look-through analysis, an NFT constitutes a section 408(m) collectible if the NFT’s associated right or asset is a section 408(m) collectible. For example, a gem is a section 408(m) collectible under section 408(m)(2)(C), and therefore an NFT that certifies ownership of a gem constitutes a section 408(m) collectible. Similarly, an NFT does not constitute a section 408(m) collectible if the NFT’s associated right or asset is not a section 408(m) collectible. For example, a right to use or develop a “plot of land” in a virtual environment generally is not a section 408(m) collectible, and therefore, an NFT that provides a right to use or develop the “plot of land” in the virtual environment generally does not constitute a section 408(m) collectible.”  See IRS Notice 2023-27.

It is not clear whether the “look-through” approach would be limited to an underlying physical asset tied to the NFT or whether it might include potential money-generating components of an NFT.  More than likely, however, the relevant IRS section could not be broadly interpreted to include future gains unrelated to specific associated assets.  Moreover, earning rewards by way of an NFT should not be taxable given rewards are generally treated as a rebate or discount on purchases – that should be treated no differently than frequent flyer miles.

The lesson learned for businesses seeking to grow NFT adoption is that market validation and future growth opportunities are now inevitable given the tax hounds have gotten the scent.  To the extent there were any previous regulatory barriers to growth opportunities, those will be lifted so long as the government gets it take.

Blockchain, Digital Assets, DLT, Financial Reporting, NFTs, Risk Management

NFT vs. FTX

Fine art NFTs slowly but surely prop up blockchain technology while also moving the nascent Digital Fine Art movement – like popcorn placed in a Raytheon microwave oven but in a less pedantic manner.  On November 16, 2022, a burning question for NFTs is whether the unfolding FTX disaster advances or hinders their cause.

Over 230 years ago, Courts recognized that fraud taints everything it touches.  Snyder v. Findlay, 1 N. J. Law (Coxe) 48, 51 (1791).  Notwithstanding the good intentions of respected celebrity endorsers Larry David, Tom Brady and Stephen Curry, the fraudster Sam Bankman-Fried – now derided as “Sam Bankrun-Fraud”, incredibly avoided internal detection by stealing and hiding funds using his own personal backdoor software tool.  By trading client assets, his massive fraud did the exact opposite of what his firm contractually promised clients as a condition of FTX’s custody. 

Fried’s fraud has become a major contagion in the crypto world – some are even posturing FTX as Exhibit “A” in their case against crypto adoption.  Despite the pernicious nature of Fried’s massive fraud, there remains underlying positive news given FTX’s failures shine a light on why NFTs will continue having a long and impactive run and why their decentralized nature will eventually become baked into most financial assets.  Indeed, the term “NFT” will hopefully disappear from our vernacular given the underlying technology’s future ubiquity.  Literally no one cares how “Hypertext Transfer Protocol Secure” works so long as the “https” before a website address gets the job done.  Similarly, few really care about the technology behind a “non-fungible token”.   Owners only care about having transferable digital property self-containing proof of ownership, verifiable uniqueness and programmable contract attributes.

The FTX debacle immediately adversely impacted NFT markets because NFTs are purchased and sold using cryptocurrencies – most of which took a major hit beginning on November 2, 2022, the publication date of Coindesk’s expose on FTXAnd, with Solana’s SOL emerging as this worst-performing crypto asset – losing over 41% in value given FTX was an important backer of the network, several Solana NFT marketplaces, namely Magic Eden and Solanart, felt an even greater FTX sting than other NFT marketplaces.   

Despite the fact NFT sales remain on a slow mass adoption cycle, as of November 16, 2022 OpenSea alone still had nearly $33 billion in total NFT trades.  NFTs are well beyond the proof-of-concept stage but mass adoption will continue a slow journey given the constant press assaults.  For example, in a May 3, 2022 Wall Street Journal hit piece suggesting that it may be “the beginning of the end” for NFTs, Zach Friedman, co-founder and chief operating officer of crypto brokerage Secure Digital Markets, is quoted as saying:  “The ones that continue will be utility-focused for sure.” 

That perspective is both correct – utility is an intrinsic feature of all NFTs, and wrong given it begs the question:  Since when does fine art ever need additional utility for it to gain status as “fine art”?  Utility is always found in great art simply by way of the esthetic utility derived.  As of the same month as the WSJ article – May 2022, collectors sent over $37 billion to NFT marketplaces, putting them on pace to beat the total of $40 billion sent in 2021.  Even though the vast majority of these transactions are not for fine art NFTs, the disrespect shown today for Digital Fine Art remains no different than cubist art in 1910. 

At the 1913 Armory Show in New York City, the most famous collectors of modern art originally shunned what they saw.  Indeed, after the show travelled to Chicago, members of the Art Institute of Chicago – the first museum brave enough to display these works, burned mock-Matisse and Picasso effigies on the museum’s steps. Today, the Art Institute of Chicago proudly hangs over five hundred important works created by Matisse and Picasso.  History will always have an uncanny way of repeating itself.

At an Art Basel panel discussion, Esther Kim Varet, owner of the L.A. and Seoul gallery Various Small Fires, reportedly let the cat out of the bag as to why Digital Fine Art runs against the grain of the fine art world: “There are a lot of barriers and it feels exclusive once you get in. And I fear that the more pricing transparency there is … we’re going to have to invent new ways to create this aura of exclusivity or privilege. Not that those things are things that we should value but it’s just kind of what the art world is built on.”

In other words, pricing opaqueness is positioned as a virtue of the art world community.  Not surprisingly, the pricing transparency and documented provenance inherent in Digital Fine Art in the form of NFTs in some ways runs counter to this view of the art world.   While the actual art in Digital Fine Art provides utility plain and simple, the programmable nature of the smart contracts used in NFTs provides a world of opportunity for collectors and artists. Such underlying contractual rights can create a lifetime relationship between collector and artist – one with ties to direct interactions removed from any centralized control.  More to the point, fine art galleries and dealers can readily join in this new form of relationship.  Ultimately, the only barriers to the heights Digital Fine Art can achieve is driven by a lack of imagination and a fear of the unknown.

UPDATE: December 13, 2022

On December 13, 2022, the SEC filed criminal charges against Bankman-Fried. The complaint alleges he “orchestrated a years-long fraud to conceal from FTX’s investors (1) the undisclosed diversion of FTX customers’ funds to Alameda Research LLC, his privately-held crypto hedge fund; (2) the undisclosed special treatment afforded to Alameda on the FTX platform, including providing Alameda with a virtually unlimited “line of credit” funded by the platform’s customers and exempting Alameda from certain key FTX risk mitigation measures; and (3) undisclosed risk stemming from FTX’s exposure to Alameda’s significant holdings of overvalued, illiquid assets such as FTX-affiliated tokens.”

In parallel actions, the U.S. Attorney’s Office for the Southern District of New York and the Commodity Futures Trading Commission also announced their own charges against Bankman-Fried.

Given that he was about to testify before Congress, the timing of the SEC and CFTC actions are not nearly as important as that of the criminal indictment. In effect, the DOJ has prevented a potential treasure trove of wholly admissible statements from being elicited. Now that he has been indicted and arrested in the Bahamas, lawyers will be the only ones talking for money-runner SBF. That’s too bad.

Financial Reporting, IT Consultants, Law Firm, Network Security, Privacy, Risk Management

Alleged cover-up leads to criminal complaint against former Uber CSO

In filing its August 20, 2020 criminal complaint against the former Uber CSO, the US Attorney for the Northern District of California issued a wake-up call to every CISO responding to a federal investigation of a data incident.  And, by stating in its press release, “we hope companies stand up and take notice”, the Justice Department has definitely thrown down a gauntlet against CISOs across the country.  

By way of background, Uber sustained a data breach in September of 2014 that was investigated by the FTC in 2016.  Uber designated its CSO – Joseph Sullivan, to provide testimony regarding the incident.  Within ten days of providing testimony to the FTC, Sullivan received word Uber was breached again but rather than update his testimony before the FTC he allegedly tried very hard to conceal the incident from the FTC.  Indeed, Sullivan allegedly went so far as to concoct a bug bounty program cover story and asked the hackers to sign an NDA as a condition of their getting $100,000 in bitcoin.

The Special Agent’s supporting affidavit swears that “there is probable cause to believe that the defendant engaged in a cover-up intended to obstruct the lawful functions and official proceedings of the Federal Trade Commission. . . . It is my belief that SULLIVAN further intended to spare Uber and SULLIVAN negative publicity and loss of users and drivers that would have stemmed from disclosure of the hack and data breach.”

In other words, a CSO allegedly spared his employer “negative publicity and loss of users” by inaccurately describing an incident and failing to disclose it in timely manner.  Even though the alleged conduct of Uber’s former CSO may have pushed the needle into the red zone, there are also potential arguments in his favor.  In coming up with one such counterargument, several Forrester analysts suggest:  “Sullivan did not inform the FTC during the sworn investigative hearing because he couldn’t have:  Sullivan learned of the 2016 breach 10 days later. To inform the FTC, Sullivan would have needed to reach out and inform them about a separate, new, but similar breach. There’s also some confusion as to whether Sullivan was under any legal obligation to do so.”

Whatever happens in this particular case, the fact remains CISOs sometime inadvertently play too close to the edge.  The underpinnings of an incident are whatever they are – no one can or should ever try to morph them into something different.  Good legal and IT counsel will mitigate loss and certain exposures but only with the assistance of CISOs and CSOs who recount events rather than fabricate them.  Not surprisingly given no company is immune to a breach, it’s only the cover-up that will ever hurt and not the incident itself. 

Accounting Firm, Financial Reporting, IT Consultants, Network Security, Risk Management

Ransomware Has Officially Become a D&O Problem

On April 30, 2020, ZDNet reported that there have been more than 1,000 SEC filings over the past 12 months listing ransomware as a risk factor – with more than 700 in 2020 alone.  These filings include annual reports (10K and 20F), quarterly reports (10Q), and registration forms (S1). 

Even the most sophisticated technology companies now insert the word “ransomware” into their Risk Factors section. See Alphabet, Inc., Form 10-Q, dated April 28, 2020, at 50  (“The availability of our products and services and fulfillment of our customer contracts depend on the continuing operation of our information technology and communications systems. Our systems are vulnerable to damage, interference, or interruption from terrorist attacks, natural disasters or pandemics (including COVID-19), the effects of climate change (such as sea level rise, drought, flooding, wildfires, and increased storm severity), power loss, telecommunications failures, computer viruses, ransomware attacks, computer denial of service attacks, phishing schemes, or other attempts to harm or access our systems.”).   

As reported by ZDNet, companies as varied as American Airlines, McDonald’s, Tupperware, and Pluralsight also list ransomware as a potential risk to their business. 

By inserting the word “ransomware” into a Risk Factors section, reporting companies may have elevated the relevant standard for companies who do not reference ransomware.  By way of background, in October 2011, the SEC began planting cyber risk disclosure seeds when it issued non-binding disclosure guidance regarding cybersecurity risks and incidents.  Back in 2011, the SEC wrote:  “Although no existing disclosure requirement explicitly refers to cybersecurity risks and cyber incidents, a number of disclosure requirements may impose an obligation on registrants to disclose such risks and incidents.” Seven years later, this non-binding guidance became binding.

On February 26, 2018, the SEC issued binding guidance that recognizes:  “Companies face an evolving landscape of cybersecurity threats in which hackers use a complex array of means to perpetrate cyber-attacks, including the use of stolen access credentials, malware, ransomware, phishing, structured query language injection attacks, and distributed denial-of-service attacks, among other means.”   By expressly listing ransomware two years ago in its Statement, the SEC was making it quite clear that the current threat landscape includes the risk of ransomware and that directors and officers have to address this likely risk.

More to the point, the Statement and Guidance on Public Company Cybersecurity Disclosures instructs “that the development of effective disclosure controls and procedures is best achieved when a company’s directors, officers, and other persons responsible for developing and overseeing such controls and procedures are informed about the cybersecurity risks and incidents that the company has faced or is likely to face.” 

Not surprisingly, the failure to disclose a prior ransomware attack would also be actionable.  See SEC Statement at 14 (“In meeting their disclosure obligations, companies may need to disclose previous or ongoing cybersecurity incidents or other past events in order to place discussions of these risks in the appropriate context.  For example, if a company previously experienced a material cybersecurity incident involving denial-of-service, it likely would not be sufficient for the company to disclose that there is a risk that a denial-of-service incident may occur.”).

If ransomware incidents were avoided altogether, however, there would be no liability attached to associated filings no matter what was communicated to the market. Moreover, even when attacks were not avoided, little disclosure risk would exist if the company applied best practices to avoid such an incident and provided an accurate accounting of what took place when an incident did take place. To that end, deploying proactive approaches considered state-of-the-art when dealing with ransomware risk will naturally mitigate against any potential SEC disclosure risk.

For example, there is at least one novel solution that can reduce ransomware attacks by anticipating when a compromised system’s ransomware package will be released and then neutralizing the ransomware threat before any ransomware release actually takes place.  By evaluating and deploying such cutting-edge solutions, companies will be well positioned to neutralize any potential shareholder claims – as well as satisfying the much more important task of protecting corporate data and other digital assets.  Thankfully, “it is never too late to begin importing a more robust security and privacy profile into an organization – which is the only real way to diminish the risk of a ransomware attack.”  As with most successful corporate endeavors, management buy-in will typically be the necessary first step.

Financial Reporting, Network Security, Privacy

First GDPR Proposed Fine Comes in at a Whopping $229 Million

On July 8, 2019, the UK’s Information Commissioner’s Office announced its intention to fine British Airways £183.39M ($229,377,293) for data breach infringements of the General Data Protection Regulation (GDPR).  This first publicly-disclosed GDPR penalty amounts to about 1.5% of British Airways’ worldwide turnover– which is still less than the possible maximum penalty of 4%.  Alex Cruz, British Airways chairman and chief executive officer, said in a press release:  “We are surprised and disappointed in this initial finding from the ICO.  British Airways responded quickly to a criminal act to steal customers’ data. We have found no evidence of fraud/fraudulent activity on accounts linked to the theft.”

According to the ICO, the massive fine was ultimately based on the harvesting of personal data of approximately 500,000 customers only one month after GDPR became enforceable.  The ICO investigation uncovered that “a variety of information was compromised by poor security arrangements at the company, including log in, payment card, and travel booking details as well name and address information.”

Given that the ICO’s final decision will take into consideration a formal response from British Airways and other data protection authorities, the fine will likely be modified in same way – this is also likely given there were new security procedures implemented by British Airways, there is no present evidence of fraud, and British Airways has already threatened an appeal.

At the time of the attack, British Airways provided very little information regarding how it was accomplished other than to say it impacted website and app bookings from August 21 to September 5, 2018 and that it was the victim of a “sophisticated, malicious criminal attack“.  One security expert posited that malicious code was planted on the website’s payments page using a modified version of the Modernizr JavaScript library.  Others have considered this attack caused by a cross-site scripting exploit.  No matter what the attack vector or exploit, this was clearly the sort of security lapse that has dogged many companies over the years.  To now have a potential $229 million fine waiting on the sidelines can only be considered yet another massive motivation to get one’s security house in order as soon as possible.

UPDATE: July 9, 2019

A day after the British Airways proposed fine, Marriott was hit with a $123 million proposed GDPR fine for a November 2018 breach.

Behavioral Advertising, Blockchain, Digital Assets, DLT, Financial Reporting, Network Security, Privacy, Risk Management, Social Media

Do ICOs have any future?

On February 6, 2018, the Senate Committee on Banking, Housing, and Urban Affairs met in open session to conduct a hearing entitled, Virtual Currencies: The Oversight Role of the U.S. Securities and Exchange Commission and the U.S. Commodity Futures Trading Commission.  The Honorable Jay Clayton, Chairman, U.S. Securities and Exchange Commission and The Honorable J. Christopher Giancarlo, Chairman, U.S. Commodity Futures Trading Commission provided lengthy and thoughtful prepared statements.  In his statement, Chairman Clayton explained why the SEC was devoting significant resources to ensure ICO founders do not skirt SEC’s regulatory oversight of security offerings and Chairman Giancarlo reaffirmed that the CFTC will similarly enforce its regulations on commodities.

Their testimony provides helpful insight regarding the enforcement direction these agencies will take in the coming months.  According to Chairman Clayton, in 2017 there was $4 billion raised in ICOs -with an unknown amount being sold in the US.   He was generally “very unhappy with ICOs” and mentioned that the SEC was “working the beat hard” to crack down on them.  Accordingly, ICOs are in the “crosshairs of enforcement” and tellingly he testified that “every ICO [he has] seen is a security” subject to enforcement.  This testimony is consistent with prior SEC pronouncements given that  Chairman Clayton previously requested that the SEC’s Enforcement Division “vigorously” enforce and recommend action against ICOs that may be in violation of the federal securities laws.   During his testimony, Chairman Clayton repeated several times that the SEC would continue to “crack down hard” on fraud and manipulation involving ICOs offering an unregistered security.

According to Chairman Clayton, the definition of a security is broad and will turn on whether someone can profit from efforts going forward by buying the token and then trade it with someone else for further profit.  Both Chairmen recognized that no one agency has any direct oversight of virtual currencies and welcomed efforts from Congress to draft new legislation that would help with their coordination efforts.

In probably the most interesting exchange during their two-hour testimony, Senator Mark Warner of Virginia recognized that the SEC went after certain ICO promoters but not others so directly asked Chairman Clayton whether the SEC “will go back [to scrutinize prior ICOs]?”  Correctly avoiding that question – given it requests insight as to future SEC enforcement efforts, Chairman Clayton instead offered that the SEC is counting on lawyers and accountants to also act as “gatekeepers” for future ICOs.

Chairman Clayton’s testimony came on the heels of the SEC’s Cease and Desist Order in the Munchee, Inc. matter that may have closed the lid on many planned 2018 ICO’s given the stringent standard set forth in that SEC Order.  By way of background, Munchee created an iPhone application for people to review restaurant meals.  In October and November 2017, Munchee offered and then sold purported utility tokens issued on the Ethereum blockchain.  “Munchee conducted the offering of MUN tokens to raise about $15 million in capital so that it could improve its existing app and recruit users to eventually buy advertisements, write reviews, sell food and conduct other transactions using MUN.”  Order at 1.

In deeming the MUN utility token a “security” subject to SEC oversight, the SEC made the following finding of fact in its December 11, 2017 Order:

Purchasers had a reasonable expectation that they would obtain a future profit from buying MUN tokens if Munchee were successful in its entrepreneurial and managerial efforts to develop its business. Purchasers would reasonably believe they could profit by holding or trading MUN tokens, whether or not they ever used the Munchee App or otherwise participated in the MUN “ecosystem,” based on Munchee’s statements in its MUN White Paper and other materials. Munchee primed purchasers’ reasonable expectations of profit through statements on blogs, podcasts, and Facebook that talked about profits.

Order at 5.

There remains hope for future ICOs given that the SEC is certainly not going after them all.  One ICO left untouched by the SEC was “gate keeped” by Perkins Coie and involves an ICO for an Ethereum utility token that raised $35 million in under a minute’s time.   See FAQ (“We and our counsel at Perkins-Coie are confident that the Basic Attention Token is properly classified as property with utility on the platform we are building, and not a security.”).  Given the subsequent Munchee C&D Order, it is unclear why the SEC does not “go back” to this ICO as suggested by Senator Warner.

The founders of Brave Software launched the “Basic Attention Token” in May 2017 seeking to improve on the current digital advertising ecosystem:   “Digital advertising is broken [with] unprecedented levels of malvertisements and privacy violations.”  The BAT token looks to fix this broken system by creating an ecosystem tied to consumer attention – which is why it is called the “Basic Attention Token”.  Such ecosystem would certainly be an upgrade from the current digital advertising scheme based on the Web ecosystem of 1995.  BAT tokens can only derive long term value by way of the Brave® Browser.   As set forth by a marketing blogger, “If Brave isn’t adopted, the new advertising structure won’t work.”

By successfully obtaining registered trademark No. 5,362,328 for BRAVE – a mark used to distinguish Brave Software’s “web browser software”, the founders of the BAT token demonstrate ownership rights in the Brave browser, that they are the source of such product, and that they will be the direct cause of the browser’s success.  In other words, buyers of the BAT ICO would necessarily profit from the efforts of Brave Software, Inc.   On the other hand, there remains utility to the BAT token.  Moreover, a utility token will likely always be at least remotely tied to the efforts of its founders – there is little reason to believe a token left in the wild would hatch into anything of value.  The fact that the SEC has not scrutinized the BAT ICO is actually an encouraging sign the SEC will temper its enforcement actions when faced with a disruptive blockchain initiative that begets true intrinsic value in the token.

State and Private Enforcement of ICO schemes

In addition to existing federal enforcement, state agencies are also cracking down on ICOs.  For example, on January 17, 2018, the Massachusetts Securities Division filed an administrative complaint against a Cayman Islands company given that the company operated out of Massachusetts and its ICO offered for sale “a security without such security being registered or exempt from registration.”  Complaint at 2.

And, to the extent state regulatory oversight may be lacking, states will try and enlarge regulatory reach by enacting new laws.  For example, California introduced a year ago the Virtual Currency Act (A.B. 1123), which would have required those involved in a “virtual currency business” within the state to register with California’s Commissioner of Business Oversight.  Even though this attempt at regulating cryptocurrencies died on January 31, 2018 due to political pressure, it may come back in a different from.    Interestingly, there was a carve out in the bill for any “virtual currency business” when it uses “[d]igital units that are used exclusively as part of a consumer affinity or rewards program”.

Class action counsel has also impacted ICOs by directly suing ICO founders in order to recoup millions for class participants.  One recent case is Davy v. Paragon Coin, Inc., et al., Case No. 18-cv-00671 (N.D. Cal. January 30, 2018).  Plaintiff class counsel sued Paragon based, in part, on the Paragon white paper characterizing its PRG token as potentially increasing in value simply based on the reduction of supply and an increase in demand.  Moreover, the paper suggests that “PRG is designed to appreciate in value as our solutions are adopted throughout the cannabis industry and around the world.”  Id. at 31.  In other words, the efforts of the founders would directly generate a more profitable investment result from the ICO.

Another ICO class action fraud case was filed in Paige v. Bitconnect Intern. PLC, et al., Case No. 3:18-CV-58-JHM (W.D. Ky. January 29, 2018).  The plaintiff’s claim of a Ponzi scheme was so strong it resulted in a TRO from the Court a day after filing suit.  Any future ICO that results in a loss in value to “investors” will likely trigger class counsel to spring into action.

The future of ICOs remains viable

Where does this trifecta of enforcement efforts – federal, state and private, leave ICOs?  If bankers are to believed, there is currently not much “there”, there.   In a report dated February 5, 2018, Goldman Sachs Group Inc.’s global head of investment research suggests that investors in ICOs could possibly lose their entire investments.  Goldman’s Steve Strongin said that while he did not know a timeframe for total losses in existing coins and tokens, he ruminated:  “The high correlation between the different cryptocurrencies worries me. . . Because of the lack of intrinsic value, the currencies that don’t survive will most likely trade to zero.”

Given the disruptive nature of ICOs on the IPO and private equity markets, it is not surprising that the global head of Goldman downplays the future of ICOs – even if he is correct in pointing out  the lack of intrinsic value in most every utility token and coin offered in an ICO.  Notwithstanding current enforcement actions and competition from traditional markets, the future for ICOs should remain viable.  Moving forward, the key to a viable and “compliant” ICO will be whether the ICO is conducted for a utility token having  demonstrated intrinsic value connected to the activities of those other than merely the ICO’s founders.

Financial Reporting, Law Firm, Privacy

CNIL Goes Easy With Google Fine

On March 17, 2011, CNIL fined Google €100,000 for improperly gathering and storing data for its Street View application.   Founded over thirty years ago, CNIL is an independent administrative authority that protects the privacy and personal data of French citizens.

Although this is the largest penalty ever awarded by CNIL, it certainly does not begin to move the needle when it comes to hurting Google’s very deep pockets.  This is nothing more than an interesting wrist slap in light of the significant privacy infraction.  The vast amount of personal data that was improperly collected by roaming “Google bikes” and “Google cars” – included e-mails and web browsing histories amounted to 600 gigabytes of unencrypted Wi-Fi data.

Even though US regulators have been hitting hard with recent fines of $4.3 million and $1 million, one lingering threat that was always out there on the privacy regulatory front was from an EU privacy agency holding a firm to unexpectedly high standards.   After seeing CNIL’s Google fine, that threat may have sputtered away.  What US firms need to continue to fear are the many class action suits that quickly sprout up — as they did when Google disclosed this “Wi-Spy” mishap — whenever there is a public disclosure of a privacy breach.