Bridging the Week by Gary DeWaal: September 18 to 22 and September 25, 2017 (My Affiliate’s Keeper?; CFTC Flexes Cryptocurrency Muscle; Can SEC Keep a Secret?)
Last week, the Commodity Futures Trading Commission required a futures commission merchant to pay a fine of US $2.5 million to resolve charges it failed to supervise a response to a CME Group investigation when the FCM relied on an affiliate’s analysis of the affiliate’s own block trades – and the analysis turned out to be misleading. Separately, the FCM's affiliate agreed to pay an additional fine of US $2.5 Million in connection with an investigation by the US Attorney's Office for the Western District of North Carolina for trading ahead of customers in connection with block trades. Also, the CFTC dramatically expanded its footprint in the oversight of cryptocurrencies when it brought an enforcement action against two persons in connection with an alleged Ponzi scheme involving Bitcoin. Importantly, the CFTC's complaint included no allegations regarding futures or swaps. As a result, the following matters are covered in this week’s edition of Bridging the Week:
FCM Agrees to Pay US $2.5 Million CFTC Fine for Relying on Affiliate’s Purportedly Misleading Analysis of Block Trades for a CME Group Investigation (includes Compliance Weeds, and My View);
CFTC Files Charges Alleging Bitcoin Ponzi Scheme Not Involving Derivatives (includes Legal Weeds);
SEC Discloses Trading May Have Occurred Based on Confidential Information Illicitly Obtained From Hack of EDGAR System in 2016 (includes My View and Compliance Weeds); and more.
FCM Agrees to Pay US $2.5 Million CFTC Fine for Relying on Affiliate’s Purportedly Misleading Analysis of Block Trades for a CME Group Investigation: Merrill Lynch, Pierce, Fenner & Smith Incorporated agreed to pay a fine of US $2.5 million to resolve charges brought by the Commodity Futures Trading Commission that, from January through October 2010, the firm failed to diligently supervise responses to a CME Group Market Regulation (“CME Market Regulation”) investigation related to block trades executed by its affiliate, Bank of America, N.A. (“BANA”) on the Chicago Mercantile Exchange and the Chicago Board of Trade. The CFTC also charged Merrill – a CFTC-registered futures commission merchant – with having inadequate procedures related to the preparation and maintenance of records related to block trades, and for failing to prepare and/or maintain records related to certain block trades, as required by Commission regulation, from at least January 2010 through June 2012.
Separately, BANA agreed to pay an additional fine of US $2.5 million to resolve an investigation brought by the US Attorney's Office for the Western District of North Carolina for engaging in impermissible pre-hedging activity in connection with block trades. According to a settlement agreed to by BANA, during the relevant time, on occasion, some BANA traders would secretly listen to telephone calls by other BANA traders with customers regarding block trades, and pre-hedge those transactions prior to the block trades being consummated At the time, pre-hedging of block trades was not permitted on CME Group exchanges until after a block trade was executed.
According to the CFTC, in response to various inquiries by CME Market Regulation whether certain BANA personnel traded futures on CME Group’s Globex electronic trading platform in advance of executing corresponding block trades, Merrill’s legal and compliance staff (“L&C Staff”) relied on BANA’s business operations support group (“the Support Group”) to assemble relevant information and to communicate with relevant BANA traders, as necessary. CME Market Regulation’s inquiries were conducted from February 2008 through December 2010.
In response, said the CFTC, the Support Group – which did not report to Merrill’s or BANA’s L&C Staff – provided Merrill’s L&C Staff an analysis of the relevant trading that omitted showing “that on a number of occasions, certain [BANA] Swaps Desk traders traded substantial volumes of futures contracts on Globex in the five minute window before the recorded execution time of a block trade in that same futures contract.” BANA’s Support Group knew this information but kept it from Merrill’s L&C Staff.
Moreover, claimed the CFTC, BANA’s traders did not admit to trading ahead during interviews conducted by CME Market Regulation staff during November 2010. Consistent with this testimony, outside counsel for Merrill also wrote to CME Market Regulation in December 2010 “in reliance on the traders’ representations” that BANA’s traders “did not have advance knowledge of a block trade such as to enable them to engage in any trading prior to the execution of the block.” BANA withdrew this letter in May 2013.
The CFTC charged that Merrill’s L&C Staff’s reliance on BANA’s Support Group without more closely monitoring its work contributed to the firm’s inability to detect the purported trading ahead before BANA’s traders provided misleading information to CME Market Regulation. The CFTC charged that Merrill’s L&C Staff’s “minimal oversight” over the Support Group and failure “to stay adequately informed” of the Support Group’s findings constituted a failure to supervise its employees and agents in violation of CFTC requirements.
The CFTC also charged as a failure to supervise that, from at least January 2010 through October 2010, Merrill had “inadequate procedures” regarding, among other matters, who was responsible for the preparation and maintenance of records related to block trades and how employees should record the execution time of a block trade. The Commission additionally alleged that, from at least January 2010 through June 2012, Merrill did not always record a correct execution time in connection with block trades on relevant trade tickets. This, said the Commission, constituted a violation of the CFTC’s recordkeeping requirements.
In addition to agreeing to pay a fine, Merrill consented to have audits conducted at certain prescribed intervals during the next five years regarding certain elements of its handling of block trades. Merrill did not admit or deny any findings or conclusions published by the CFTC in agreeing to its settlement. BANA also agreed to various undertakings to resolve the US Attorney's Office's investigation; it agreed to all facts in its settlement order.
Both the CBOT and CME brought disciplinary actions against Merrill during October 2013 for failure to supervise; making a verbal or material misstatement to it; and not preparing accurate records regarding, and timely reporting, block trades, as required. The facts underlying the CME Group disciplinary actions appear materially the same as those behind the CFTC’s action. Merrill agreed to pay an aggregate fine of US $250,000 to settle the CME Group disciplinary actions.
Bank of America Corporation ("BoA") owns both Merrill and BANA, although it did not completely acquire Merrill until January 1, 2009, after the initiation of CME Market Regulation's inquiries regarding BANA's block trades. BoA originally announced its intention to purchase Merrill during September 2008.
Compliance Weeds: Prior to November 8, 2016, all persons trading on CME Group exchanges were prohibited from engaging in pre-hedging transactions after receiving a counterparty order for a futures block trade until after such block trade was executed. Now, pre-hedging/anticipatory hedging is permitted on CME Group as well as other exchanges under certain circumstances, except when an intermediary takes the opposite side of its own customer order.
My View: Although BANA admitted to impermissibly pre-hedging block trades and agreed to material sanctions for that offense, an important fall-out of Merrill's CFTC settlement order is the suggestion that registrants have an affirmative obligation of some kind to ensure that information and analysis they obtain from accountholders is accurate prior to passing it along to regulators even when they have no notice that such information may be inaccurate.
Here, as best as can be surmised from the limited facts set forth in the “Commission’s Order Instituting Proceedings, Making Findings, and Imposing Remedial Sanctions,” Merrill, in connection with a CME Group investigation, relied on an affiliated company (BANA)’s staff to obtain information about BANA’s activities. This is not uncommon within group structures. Likewise, it is not uncommon for registrants to make requests to customers, including affiliated companies, for information requested by regulators and pass along the information to the regulators without substantively testing the accuracy of the production.
There is no suggestion in the settlement order that Merrill somehow directly or indirectly oversaw or was responsible for BANA's swaps desk. Indeed the settlement order makes clear that BANA's Support Group acted fully independently of Merrill's L&C Staff. Moreover BANA's settlement did not suggest any role in its improprieties by Merrill.
According to the CFTC, the bad fact here is that BANA’s personnel allegedly provided Merrill with misleading information, which Merrill’s L&C Staff, and apparently outside counsel for Merrill, relied on – although there was no suggestion they relied on the information in bad faith. As a result, charged the CFTC, Merrill did not detect its affiliate’s possible wrongful conduct and somehow contributed to BANA’s traders providing purportedly misleading testimony to CME Group’s Market Regulation staff during interviews. This, claimed the CFTC, constituted a “failure to supervise” by Merrill of its employees and agents.
The relevant CFTC rule requires Commission registrants effectively to diligently supervise the handling “by its partners, officers, employees and agents…of all commodity interest accounts… and all other activities [of such persons]… relating to its business as a Commission registrant.” However, it is not clear from the settlement precisely what and whom Merrill failed to supervise.
When an affiliate or a third-party customer provides information or analysis to a registrant in response to a regulatory inquiry, it’s not the registrant’s fault if the information is false – absent knowledge by the registrant, or information that arguably suggests that the registrant should have known of the falsehood. Moreover, when a third-party customer or even an affiliate produces information to a registrant for ultimate production to a regulator, the accountholder is acting as principal and the registrant is acting as agent, not the other way around. The Merrill settlement seems to have gotten common sense and relationships wrong: this is not a circumstance of failure to supervise by a registrant; this is a circumstance of an accountholder – as principal – not necessarily telling the truth. Merrill – as far as it seems from the settlement order – was acting solely as an agent in serving as a conduit for information from BANA to CME Market Regulation.
Moreover, it is not clear why the CFTC chose to include in the settlement order a reference to the letter by outside counsel to CME Market Regulation. Apparently, outside counsel may also have been misled by BANA, Merrill’s principal. However, it is unclear how the counsel’s actions contributed (if at all) to Merrill’s failure to supervise charge.
The CFTC can now rely on an express provision of law to prosecute persons that make any false or misleading statement of a misleading material fact to it provided "the person knew, or reasonably should have known, the statement to be false or misleading." (Click here to access Commodity Exchange Act Section 6(c)(2), 7 U.S.C. §9(2).) The CFTC contorts the scope of this law unfairly in this matter.
Going forward, it appears that, when investigating potential wrongdoing by an accountholder, registrants may continue to rely on the accountholder for information. However, registrants may now be expected by the CFTC under their duty of supervision to at least somehow independently assess the reliability of the information – particularly analyses performed by persons that may not be truly independent of a potential wrongdoer – even when a registrant has no reason to think the information may be false or misleading. This may not be practical and seems contrary to the spirit of CEA Section 6(c)(2). Registrants may be required to know their customers, but they cannot be guarantors of their credibility.
Note: This article was amended by 7:30 am on September 25 after initial publication to include information related to the US Attorney's Office investigation and BANA's settlement.
CFTC Files Charges Alleging Bitcoin Ponzi Scheme Not Involving Derivatives: Gelfman Blueprint, Inc., and Nicholas Gelfman, its chief executive officer and head trader, were sued by the Commodity Futures Trading Commission for running a Ponzi scheme related to Bitcoin. However the CFTC's allegations regarding the defendants' handling of Bitcoin pertained to Bitcoin alone, not futures or swaps based on Bitcoin.
According to the CFTC’s complaint filed in a federal court in New York City, from at least January 2014 through at least January 2016, the defendants solicited approximately US $600,000 from at least 80 customers to trade Bitcoin in a pooled fund using a proprietary algorithm called “Jigsaw.” However, charged the CFTC, the defendants misappropriated most of this money for their own use and rarely traded for customers. The defendants furthered their alleged fraud, claimed the CFTC, by making false and misleading statements to potential and actual investors by, among other things, overstating customers’ balances, falsely representing trading performance and activity, and falsely representing past performance. The CFTC seeks a permanent injunction against the defendants, disgorgement and fines, as well as other relief.
Legal Weeds: This CFTC complaint has significant ramifications beyond its four corners. It represents a powerful statement by the Commission that it will exercise jurisdiction over cryptocurrencies when there is potential fraud – even if the fraud does not involve derivatives based on cryptocurrencies.
The genesis of this position is grounded in the Commodity Exchange Act – the law under which the CFTC derives its authority.
According to the CEA, a commodity is any of certain enumerated traditional commodities (e.g., wheat, cotton, corn) and “all other goods and articles” (emphasis added) except onions and motion picture box office receipts. In 2014, Timothy Massad, then chairman of the CFTC, declared that cryptocurrencies were commodities under the CEA, and the CFTC subsequently brought two enforcement actions against persons for engaging in activities requiring registration under the CEA without being registered. In July, the CFTC also approved the registration of LedgerX as a swap execution facility and derivatives clearing organization to handle fully collateralized swaps potentially settling in cryptocurrencies.
The CFTC brought its current action under a relatively new provision of law (enacted as part of the Dodd-Frank Wall Street Reform and Consumer Protection Act) and Commission regulation that prohibits any person from using a manipulative or deceptive device or contrivance in connection with any “contract for sale of any commodity in interstate commerce” – not solely in connection with swaps or a commodity for future delivery on or subject to the rules of any registered entity. The CFTC has previously employed these legal provisions in response to a wide variety of fact patterns from their first use in the JP Morgan “London Whale” episode to allegations of illegal off-exchange metals transactions, insider trading, claims of more traditional manipulation and attempted manipulation (without endeavoring to show an artificial price) and allegations of spoofing.
The CFTC's willingness to use these provisions in response to a fact pattern related to a commodity only – Bitcoin –, and not to futures or swaps based on Bitcoin, is a powerful statement about its view of its own role in the cryptocurrency arena going forward.
SEC Discloses Trading May Have Occurred Based on Confidential Information Illicitly Obtained From Hack of EDGAR System in 2016: Last week, in a press release innocuously headlined “SEC Chairman Clayton Issues Statement on Cybersecurity,” the Securities and Exchange Commission disclosed that, last month, it discovered that its Electronic Data Gathering, Analysis and Retrieval system (EDGAR) was hacked during 2016, and that persons may have profited from trading on unauthorized information obtained through such intrusion.
(EDGAR is used by the SEC to collect submissions by companies and foreign governments required to periodically file certain information with it.)
The SEC noted, however, that it does not believe that the hacking resulted in the compromise of personally identifiable information. The SEC said that the hacking occurred through the test-filing component of the EDGAR system and was patched “promptly after discovery.”
Just last month, the SEC’s Office of Compliance Inspections and Examinations issued a report saying that while firms have “increased cybersecurity preparedness” since 2014, broker-dealers’, investment advisers’ and investment companies’ cybersecurity policies and procedures are not uniformly tailored to their business because they are too vague or general and are not always followed or enforced.
Moreover, the SEC has brought two enforcement actions against registrants for failing to comply with Regulation S-P over the past two years. Under this regulation, registered broker-dealers, investment advisers and investment companies must adopt written policies to help protect customer records and information. The rule addresses administrative, technical and physical safeguards regarding such information.
My View: In June 2016, the SEC’s Office of the Inspector General issued a report criticizing the agency’s handling of information security. Among other things, the OIG said that the SEC’s Office of Information Technology did not “effectively” monitor the risks of system authorizations. Two month’s later, the SEC’s Inspector General announced that it issued a report to Congress related to the security of confidential personally identifiable information collected and retained by the Commission. However, because “this report contain[ed] sensitive information about the SEC’s security program,” the Inspector General declined to publicly release the report or even a high-level summary. This seemed odd at the time; it seems even odder under current circumstances. Perhaps at least some sanitized version of this report should be issued now. This is particularly important as the SEC continues to oversee the development of a single consolidated audit trail (known as “CAT”) to track all equities and options trading on US markets. The temptation to hack such a centralized and rich database might be very high for nefarious persons and, as a result, protections and governance around CAT must be exceptionally strong.
Compliance Weeds: Unfortunately, as I have frequently written previously, there are only two types of financial services firms: those that have experienced cybersecurity breaches and addressed them, and those that have experienced cybersecurity breaches and did not know. (I will now add government agencies to my frequent statement.) By this time, all financial service firms and government agencies—no matter what size—should have assessed or be in the process of assessing or reassessing the scope of their data (e.g., customer information, proprietary), potential cybersecurity risk, protective measures in place – including ongoing testing, consequences of a breach and cybersecurity governance (e.g., how would they react if a breach occurred) in order to evaluate their cybersecurity needs and develop a robust protective program. (Click here for a dated but still useful discussion of cybersecurity and a comprehensive checklist of practical measures in the June 24, 2015 Advisory entitled “Cyber-Attacks: Threats, Regulatory Reaction and Practical Proactive Measures to Help Avoid Risks”)
CFTC Enhances Online Form 40 Portal: The Commodity Futures Trading Commission’s Office of Data and Technology has rolled out enhancements to its portal through which certain reporting traders are required to file CFTC Form 40s. The enhancements include introduction of a wizard-style format to allow users to navigate through different sections of the form; an autosave feature, and the ability to generate a PDF version of a finally submitted form. (CFTC Form 40 requires information regarding a reporting trader including name, address and contact person; the identities of persons that own (10 percent or more interest) or control the reporting trader, and subsidiaries (10 percent or more interest) of the reporting trader that engage in derivatives trading) Separately, the National Futures Association will add to information it requires electronically from introducing brokers regarding certain financial statement balances and audited and consolidated financial statement filed through EasyFile or Winjammer. This information — that previously was collected subsequent to electronic filings through questions asked by NFA staff — will be added to September 30, 2017 filings.
E*TRADE Securities HK Sanctioned for Referring Accounts to Non-HK-Registered Affiliate: E*TRADE Securities HK was fined HK $20,000 (approximately US $2,560) and costs by a court in Hong Kong for introducing public accounts to E*Trade Securities LLC in the United States from May 2009 through January 2014 when the US firm was not licensed in Hong Kong. The lawsuit was initiated by the HK Securities and Futures Commission.
Afghanistan and Lao PDR Removed From FATF’s AML/CFT Deficiency List: The Financial Crimes Enforcement Network of the US Department of Treasury updated its advisory of global Financial Action Task Force’s list of jurisdictions with strategic anti-money laundering issues. FATF has removed Afghanistan and Lao PDR from its list of jurisdictions with deficiencies in strategic AML and combatting the financing of terrorism.