But Noncustomer Plaintiffs May Face Uphill Battle Proving Digital Currency Exchange’s Actual Liability

Earlier this week, the Eleventh Circuit affirmed, in an unpublished opinion, that Coinbase Inc., an online platform used for buying, selling, transferring, and storing digital currency, could not compel arbitration on a former customer of Cryptsy, a now-defunct cryptocurrency exchange, in his proposed class action suit alleging that Coinbase helped to launder $8 million of Cryptsy customers’ assets. Leidel v. Coinbase, Inc., Dkt. 17-12728.

In so holding, the Court found that the plaintiff’s allegations emanated not from the User Agreement between Coinbase and Cryptsy’s CEO, Paul Vernon, but from extra-contractual duties “allegedly” found in federal statutes and regulations, specifically the Bank Secrecy Act (“BSA”).  As we previously have blogged, courts have held that financial institutions generally do not owe a duty of care to a noncustomer and that no special duty of care arises from the duties and obligations set forth in the BSA absent a special relationship or contractual relationship. Moreover, there is no private right of action stemming from the BSA. Nor does the BSA define a financial institution’s standard of care for the purposes of a negligence claim.

Coinbase is registered as a Money Services Business with FinCEN, and is otherwise required to comply with the BSA. However, if courts treat Coinbase as it would any other financial institution (which we have no reason to believe that they would not), Plaintiff, having avoided the contractual arbitration provision, has an uphill battle to show that Coinbase had a duty of care to noncustomers to prevent AML failures.

In this case, Brandon Leidel, the named plaintiff, alleged on behalf of a putative class that Cryptsy’s CEO laundered $8 million in stolen customer funds with the help of Coinbase. Specifically, it is alleged that Cryptsy’s CEO Vernon opened two Coinbase accounts – one for himself and one for Cryptsy.  These accounts were allegedly used to launder $8.3 million with Vernon liquidating his customers’ bitcoin into cash and depositing said cash into his personal bank account.  At the time Vernon opened these accounts, he agreed to be subject to an arbitration clause when he “clicked a box to accept the terms of Defendant’s User Agreement.”

Vernon has since fled the country and early in the case, the district court appointed a receiver. Both Leidel and Cryptsy’s receiver sued Coinbase for (1) aiding and abetting Crypsty’s breaches of its fiduciary duties to its customers, (2) aiding and abetting Vernon’s theft of Cryptsy’s customer’s assets, (3) negligence in performing its duties as a depository of Cryptsy’s and Vernon’s accounts and (4) unjust enrichment with respect to the fees that Coinbase collected on the conversion of customers’ stolen bitcoin.  Both argue that Coinbase should be held liable for failing to investigate these accounts despite, among other things, “overtly suspicious activity indicative of misconduct[,]… clearing exorbitant amounts of cryptocurrency for Cryptsy that put Cryptsy among Coinbase’s highest volume users,” and failing to report said activity to government and regulatory authorities.

From the outset, Coinbase argued that the User Agreement between Cryptsy and itself controlled, and that Leidel would have to submit to arbitration – the receiver consented to arbitration being a party to the contract itself. Coinbase argued that Leidel was equitably estopped from relying on the contract for purposes of asserting rights and benefits under the agreement and rejecting the parts it did not want – i.e., the arbitration clause.  The court held that under either California or Florida law, arbitration could not be compelled under a theory of equitable estoppel because Leidel’s claims did not “arise from the terms of the contract [that is] emanate[] from an inimitable duty created by the parties’ unique contractual relationship.” The court noted that according to the complaint, the duties emanated from elsewhere – specifically the BSA and its implementing regulations to detect money laundering and other suspicious activities.  Thus “[b]ecause Leidel’s claims rely on obligations allegedly imposed by law and in recognition of public policy to persons who are strangers to the User Agreements, his claims neither rely on nor bear significant relationship to those agreements.” (emphasis added.)   Similarly under California law, the Court found that Leidel’s claims were not “inextricably intertwined with the underlying contractual obligations of the agreement containing the arbitration clause.”  Indeed, the Court reiterated that Leidel “seeks to enforce obligations allegedly imposed on Defendant by federal statutes, federal regulations, and state common law.” (emphasis added.)

Leidel, having now won on this issue, will have to argue that Coinbase owed a duty to noncustomers, Cryptsy’s clientele, and that duty arose out of something other than the User Agreement between Vernon and Coinbase. Leidel’s current theory appears to be that the duty to noncustomers arises out of the BSA and implementing regulations, but such a theory has been unsuccessful in the past.  Courts have held that a financial institution may owe a duty of care to a noncustomer in limited special circumstances – (1) where the financial institution owes a fiduciary duty to the noncustomer, (2) the bank knows or ought to know about said relationship and (3) the bank has actual knowledge of the customer’s misappropriation. It will be interesting to see whether Leidel has alleged enough to avail himself of these special circumstances.