Bridging the Weeks by Gary DeWaal: October 1 - 12 and October 15, 2018 (Self-Reporting Pays; Costly Cyber-Attack; No Systemic Threat by Crypto-Assets)
An international bank settled an enforcement action brought by the Commodity Futures Trading Commission for spoofing. However, in the process, the CFTC went out of its way to laud the bank for self-reporting the incident, as well as its cooperation in the CFTC’s investigation and voluntary efforts to enhance its internal processes to detect spoofing and train staff going forward. Separately, a UK-based financial institution was assessed a fine of the equivalent of approximately US $21.5 million by the Financial Conduct Authority for a cyber breach that detrimentally impacted some customers. Although the FCA acknowledged that the bank’s cybercrime framework was “appropriate,” it said that employees did not follow it. As a result, the following matters are covered in this week’s edition of Bridging the Weeks:
- Self-Reporting and Cooperation of Non-US-Based Bank Acknowledged by CFTC in Agreeing to US $800,000 Fine for Spoofing by Traders (includes Legal Weeds1 and Legal Weeds2);
- UK Bank Fined GB £16.4 Million Related to Cyber-Attack Because of Employee Breakdowns (includes Compliance Weeds);
- International Financial Regulator Coordinator Says Crypto-Assets Currently Pose No Threat to Financial Stability (includes My View); and more.
- Self-Reporting and Cooperation of Non-US-Based Bank Acknowledged by CFTC in Agreeing to US $800,000 Fine for Spoofing by Traders: The Bank of Nova Scotia – a Toronto, Canada-headquartered bank – agreed to pay a fine of US $800,000 to resolve charges brought by the Commodity Futures Trading Commission related to purported spoofing transactions by unnamed traders on its New York precious metals trading desk from June 2013 through June 2016.
Typically, said the CFTC, a trader would place a small order for gold or silver futures on the Commodity Exchange, Inc. at or near the best price, followed by a larger order on the opposite side of the market away from the best price. The goal of the spoofing order was to suggest greater buying or selling interest, and to induce execution of the trader’s small order. If the trader was successful, the trader’s small order would be executed after which the trader would cancel the larger order, alleged the CFTC.
According to the CFTC, BNS was alerted to the potential spoofing trading of one its NY-based traders by its futures commission merchant. In response, BNS conducted an internal review, terminated the one trader, and self-reported the trading activity to the CFTC, including providing “thousands of documents,” other information and analysis. BNS also implemented an enhanced surveillance system, hired a full-time surveillance monitor, and augmented its spoofing training programs, said the CFTC.
In a press release issued by the CFTC in connection with publication of the relevant settlement order, James McDonald, CFTC Director of Enforcement, stated that BNS received a “substantially-reduced penalty” because of its self-reporting and cooperation.
Legal Weeds1: Last year, Mr. McDonald made clear that potential wrongdoers who voluntarily self-report their violations, fully cooperate in any subsequent CFTC investigation, and fix the cause of their wrongdoing to prevent a re-occurrence will receive “substantial benefits” in the form of significantly lesser sanctions in any enforcement proceeding and “in truly extraordinary circumstances,” no prosecution at all. (Click here for background in the article “New Math: Come Forward + Come Clean + Remediate = Substantial Settlement Benefits Says CFTC Enforcement Chief” in the October 1, 2017 edition of Bridging the Week.)
Since then, the CFTC Division of Enforcement has routinely reiterated this view in connection with settlements of enforcement actions where it acknowledged self-reporting and cooperation. This settlement is the latest example.
Legal Weeds2: I don't ordinarily cover traditional fraud cases in Bridging the Week as they don't typically provide insight into novel legal theories or important new lessons for legitimate industry participants. However, a recent victory by the CFTC in its enforcement action against Gregory L. Gramalegui is worth noting. In that case, the CFTC prevailed in a litigation against Mr. Gramalegui where it had charged violations of the anti-fraud provisions of relevant law and disclosure requirements of CFTC rules in connection with his solicitation of customers for a futures trading system and an advisory service, among other offenses. The federal court in Colorado hearing this matter found that the CFTC proved its allegations and assessed a fine against Mr. Gramalegui of US $1.9 million and ordered disgorgement.
Among its claims, the CFTC charged Mr. Gramalegui with making false statements to it in connection with a provision of law added as part of the Dodd-Frank Wall Street Reform and Consumer Protection Act in 2010. This provision renders it illegal for a person to make a false or misleading statement to the CFTC or omit material information to deceive the Commission, "if the person knew, or reasonably should have known, the statement was false or misleading" in connection with material facts. (Click here to access 7 U.S.C. § 9(2).)
According to the Court, "a statement is actionable under this section when it is either literally untrue or when it fails to include all information necessary to give the recipient a complete and accurate picture of the state of affairs communicated." Here the court found that the defendant violated this provision of law when he told the CFTC in connection with a deposition that he did not advertise for clients but that clients found him through Google and other search engines; he did not send out marketing emails between September 2014 and 2015; and he played no role in a statement on his website that "most traders have made enough on one trade to pay for the[ir] monthly subscription," as well as when he did not tell the CFTC that he communicated to customers other than through one identified email account and that he had altered the copy of his website prior to producing it to the CFTC, among other statements and misstatements. Each of these statements was false or misleading, said the court. Moreover, the court concluded that each of these misstatements and omissions was material and, accordingly, gave rise to a violation of the relevant provision of law.
Mom always said to tell the truth. The CFTC has tools to sanction persons for not following mom's advice. (Click here to access the court's full decision.)
- UK Bank Fined GB £16.4 Million Related to Cyber-Attack Because of Employee Breakdowns: The United Kingdom’s Financial Conduct Authority fined Tesco Personal Finance plc GB £16.4 million (US $21.5 million) for failing to exercise “due skill, care and diligence” in protecting its customers from the consequences of a cyber-attack in November 2016 involving bank-issued debit cards.
According to the FCA, because of a design flaw in the debit cards, the attackers used an algorithm to generate authentic debit card numbers, and used these numbers to engage in thousands of unauthorized customer debit card transactions. After the cyber-attack began and was first detected early on Saturday, November 5, 2016, staff committed a number of errors which delayed fully stopping the cyber-attack and restoring normal debit card use by all customers until November 9. Among these errors was that, once the cyber-attack was discovered, the internal team responsible for helping to resolve the cyber-attack emailed a fraud strategy inbox as opposed to telephoning the internal fraud analyst, as required by procedures. This, claimed the FCA, delayed resolution by 21 hours as the email was not reviewed promptly over the weekend. Additionally, once the cause of the cyber-attack was recognized, a number of initial fixes were ineffective. However, because the first fix was not monitored, Tesco did not recognize until only after a “few hours” that the fix did not work and that fraudulent transactions were increasing.
Although the FCA acknowledged that Tesco’s cybercrime framework was “appropriate,” it said that relevant individuals did not follow it. According to FCA, “[Tesco’s] financial crime framework was clear and each body within the framework had an appropriate role and each body worked together to achieve the common purpose of mitigating the risk of cybercrime.” Unfortunately, said the FCA, a cybercrime framework “is only as good as the individuals who work within it.”
Ultimately, 8,261 current accounts were impacted by the cyber-attack. The bank reimbursed customers for direct losses and removed all pending debits, as well as refunded all fees, charges, and interest that had been charged.
The FCA indicated that it would have fined Tesco GB £23.5 million (US $30.9 million) but for Tesco’s “high level of cooperation” during the FCA’s investigation, immediate retention of a third-party consultant to review the incident, implementation of the consultant’s recommendations, and other mitigation measures.
Compliance Weeds: Last month, the Securities and Exchange Commission settled an enforcement action against Voya Financial Advisors, Inc. – a registered broker-dealer and investment adviser – related to purported deficiencies in the firm’s cybersecurity procedures that the SEC alleged contributed to a cyber intrusion and compromise of customers’ personal information. These deficiencies constituted violations of the SEC’s Safeguard and Identity Theft Red Flags rules. (Click here for background in the article “Broker-Dealer Resolves SEC Charges That Inadequate Cybersecurity Procedures Led to Cyber Intrusion, Compromising Customer Personal Information” in the September 30, 2018 edition of Bridging the Week.)
Voya agreed to pay a fine of US $1 million to resolve the SEC’s enforcement action.
Earlier this year, AMP Global Clearing LLC, a Commodity Futures Trading Commission-registered FCM, agreed to pay a fine of US $100,000 to resolve an enforcement action brought by the Commission claiming that it failed to supervise a third party’s implementation of “critical” provisions of its information system security program. As a result of this failure, said the Commission, AMP’s technology system was compromised by an unauthorized individual (Infiltrator) who impermissibly copied approximately 97,000 files, including many files that contained confidential personal information. (Click here for background in the article “CFTC Says Futures Brokerage Firm’s Failure to Supervise Led to Unauthorized Cyber-Attack” in the February 18, 2018 edition of Between Bridges.)
Both SEC and CFTC-registered entities should ensure they maintain a robust information system security program to minimize the likelihood of a cyber-attack as well as policies and procedures expressly designed to detect, prevent and mitigate identity theft in connection with the opening and maintenance of any covered account. This program must be appropriate in light of the size and complexity of the financial institution and nature and scope of its activities. A covered account includes an account for personal, family or household purposes that is intended to permit multiple payments or transactions. This includes a brokerage account or an account at an investment company. However, a covered account also includes any account at a financial institution “where there is a reasonable or foreseeable risk to customers or to the safety and soundness of the financial institution or creditor from identity theft, including financial, operational, compliance, reputation or litigation risks.”
All policies and procedures should be regularly reviewed and updated, as appropriate, and at least annual firm-wide training and ongoing evaluations of critical systems should be implemented. Firms should consider in advance how they would respond to different types and degrees of cyber-attacks. Periodic drills involving mock phishing episodes and cyber-attacks should also be considered to heighten employee readiness.
- International Financial Regulator Coordinator Says Crypto-Assets Currently Pose No Threat to Financial Stability: The Financial Stability Board issued a report concluding that crypto-assets do not currently pose a “material risk” to global financial stability. However, if crypto-asset markets became more significant, market liquidity risks, volatility risks, leverage risks, and technological and operational risks “could possibly lead to financial stability implications,” claimed the FSB.
According to the FSB, today, crypto-asset ownership appears limited among a few market participants. This limits market depth and diminishes the ability of markets to handle large trading volumes. Moreover, noted the FSB, the value of crypto-assets is not derived from the value of underlying assets but from speculation. As a result, to date, the prices of crypto-assets have been “highly volatile.” Additionally, said the FSB, the distributed ledger technology underlying crypto-assets has “limited or no formal governance structure,” and may be subject to “technological errors and limitations.” Among other things, observed the FSB, “[d]ecentralisation and lack of or inadequate governance makes it difficult to resolve technological limitations or errors and may lead to uncertainty and ‘hard forks’ [in proof of work governance structures] by a subset of miners.”
The FSB expressed concern that if crypto-assets were more widely used, “negative developments involving crypto-assets could undermine confidence in certain aspects of the financial system and in financial regulators.”
The FSB indicated that, going forward, it will continue to monitor the risk of crypto-assets to financial stability on an “ongoing basis.” Established in 2009, the FSB is an international organization comprising representatives of national authorities responsible for financial stability in material international financial centers that monitors and makes recommendations about the global financial system.
Among other developments these past two weeks involving crypto-assets:
- ICO Claiming SEC Approval Halted by SEC: The Securities and Exchange Commission obtained an emergency order from a federal court in California against Blockvest, LLC, a purported digital asset-related financial products and services company, and Reginald Ringgold, III, the claimed founder of Blockvest, in connection with the firm’s initial coin offering of its BLV digital token. According to the SEC, the defendants falsely claimed that their ICO received regulatory approval from the SEC when it did not, and misrepresented that Blockvest had a relationship with Deloitte, a public accounting firm, when it did not. The SEC also charged that the defendants misrepresented their status with the National Futures Association even after being warned to stop such false claims by NFA. The emergency order froze defendants’ assets and temporarily prohibited them from violating the anti-fraud laws.
- trueEX Submits Self-Certification of Bitcoin Physically Delivered Swap Contract to CFTC: trueEX LLC – a Commodity Futures Trading Commission swap execution facility – submitted to the Commission new product terms and conditions for a physically delivered uncleared bitcoin swap contract that will be available solely to eligible contract participants. The contract size of the swap, as proposed, will be one bitcoin, and would have maturity dates of the last Friday of the nearest three serial months, and the nearest four months in the quarterly cycle of March, June, September, and December. Each trueEX participant trading bitcoin swaps must first appoint a settlement agent that will provide cash settlement services, including margining and final settlement. Holders of bitcoin swap contracts will be subject to initial and variation margin obligations; the contracts do not appear intended to be fully collateralized. Absent objection, trueEX amended rules and regulations will be effective no earlier than October 17, 2018.
- FinCEN Issues Iran Warning to Crypto Exchanges: The Financial Crimes Enforcement Network of the US Department of Treasury issued an advisory to help financial institutions, including money service businesses engaging in cryptocurrency activities, comply with US sanctions against Iran, the Government of Iran or Iranian financial institutions unless exempt. FinCEN warned virtual currency providers that have Bank Secrecy Act and US sanctions obligations to be aware of and have appropriate systems to comply with all relevant sanctions and anti-money laundering/combating the financing of terrorism requirements. Among other things, FinCEN indicated that relevant institutions “should consider reviewing blockchain ledgers for activity that may originate or terminate in Iran.”
- SEC Reconsiders GraniteShares Bitcoin ETFs: The Securities and Exchange Commission sought comments on Cboe BZX Exchange, Inc.’s proposed rule change to authorize the listing and trading of shares of the GraniteShares Bitcoin Exchange Traded Fund and the GraniteShares Short Bitcoin ETF. In August 2018, the SEC’s Division of Trading and Markets, pursuant to delegated authority, disapproved the proposed rule change, but the Commission promptly indicated it would review the determination. Each fund proposes to track bitcoin futures contracts. The SEC will accept comments to the proposed rule change proposal for 21 days following the publication of its notice in the Federal Register.
My View: The crypto-asset market is very small today compared to other financial assets. According to the FSB, the market capitalization of crypto-assets peaked on January 8, 2018, at an estimated US $830 billion, 35 percent of which was attributable to bitcoin. As of October 4, market capitalization had declined to approximately US $210 billion. This represented .9 percent of the market capitalization of the S&P 500 on that date, and 2.8 percent of the global value of gold.
Views on the potential benefits of distributed ledger technology and associated crypto-assets are widely divergent. Last week Nouriel Roubini, Professor of Economics at the Stern School of Business, New York University, testified before the US Senate Committee on Banking, Housing and Community Affairs that “[b]itcoin and other cryptocurrencies represent the mother of all bubbles” and that “blockchain is the most over-hyped – and least useful – technology in human history.” Alternatively, Peter Van Valkenburgh, Director of Research at Coin Center, argued before the same subcommittee that “the benefits of [blockchain] technology are real.” He said that digital cash offers “efficiencies that existing electronic transmission cannot,” digital identity “may solve many of our online security woes,” and the internet of things “may spur greater security, competition, and an end to walled gardens of non-interoperability for connected devices.”
We are less than 10 years from the mining of the first 50 genesis bitcoins. Today the hype of distributed ledger technology and crypto-assets is likely far louder than the number of effective use cases. However, it is hard to imagine that elements of DLT – application of strong cryptography to support blockchains, transactions validated by a consensus protocol designed to be trustless, the capability to transmit and access a store of value anywhere and anytime, and the ability to code technology to self-execute contractual terms – are important innovations that continue to be developed and advanced. No one can predict whether any crypto-asset or specific blockchain existent today will survive tomorrow or even be around in today’s form. However, DLT and crypto-assets of some kind are likely to be with us for a long time.
- Interdealer Broker, CEO and Senior Manager Named in CFTC Enforcement Action for Communicating Fake Bids, Offers and Executions in FX Options Market; Board Chairman Settles Related Supervisory Charges: TFS-ICAP, LLC and TFS-ICAP Ltd. were charged by the Commodity Futures Trading Commission with attempting to deceive and deceiving their clients through fake bids and offers and fake trades involving foreign exchange options from 2008 through 2015. The purpose of the purported wrongful actions, said the CFTC, was to create an impression of greater liquidity and tighter spreads on TFS-ICAP’s trading platform to induce clients to trade. Two senior managers at TFS-ICAP – Jeremy Woolfenden, Global Head of Emerging Markets FX Options, and Ian Dibb, CEO of TFS-ICAP from 2011 through the present time – were also charged by the CFTC for the companies’ violations and failure to supervise because of their purported knowledge and encouragement of the alleged wrongdoing. The CFTC seeks disgorgement of benefits, fines, and registration bans, among other penalties against all defendants. The CFTC filed its enforcement action in a federal court in Manhattan. Separately, Michael Leibowitz, Chairman of the Board of TFS-ICAP agreed to pay a fine of US $250,000 for not developing or having implemented policies and procedures that prohibited the alleged wrongful conduct.
- CBOE Futures Exchange Amends and Reissues Guidance on ECRPs: Cboe Futures Exchange issued revised guidance on authorized exchange of contract for related position transactions – more commonly referred to as exchange for related position transactions on other derivative exchanges. On CFE, authorized ECRP transactions must involve (1) a CFE contract and a transaction in a related position or option on a related position; (2) actual transfer of ownership and an ability to perform the ECRP; and (3) separate parties on each side of the ECRP. The related position for an ECRP may include a security, a derivative, any commodity under applicable law, or a group or basket of any of the foregoing provided all related positions must have a high degree of price correlation to the underlying contract. No related position may be a contract traded on or subject to CFE rules, and no contingent ECRPs are permitted. An ECRP is an exception to the Commodity Futures Trading Commission rule that all futures contracts must be openly and competitively executed. (Click here to access CFTC Rule 1.38.)
- CME Group Exchanges Sanction Three Traders for Wash Sales, One for Spoofing: TRC World Group and two of its employees – Travis Haymore and John Morgan – resolved charges brought by a Chicago Board of Trade business conduct committee that, on various dates in August 2016, each respondent engaged in wash sales. The purpose of the transactions, said the CBOT, was to roll forward existing positions. TRC was also charged with failure to supervise for not providing appropriate training to its employees. TRC consented to a fine of US $30,000, while both Mr. Haymore and Mr. Morgan agreed to pay fines of US $10,000 and be suspended from trading on all CME Group exchanges for five business days. Separately, Eamon O’Floinn was charged in and settled a disciplinary action with the Chicago Mercantile Exchange for disruptive trading. According to CME, Mr. O’Floinn entered and canceled orders in various CME futures contracts during the pre-opening period that were not entered for purposes of execution, but to assess the depth of the order book. He purportedly engaged in such conduct from November 1, 2016, through June 15, 2017. He agreed to pay a fine of US $10,000 and a 10-day all CME Group exchange trading prohibition to resolve this matter.
- Options Trader Who Settled Related Criminal Charges Resolves CFTC Enforcement Action for Trading Futures Options to Disguise Trading Losses: Thomas Lindstrom, the former options trader who engaged in unauthorized trading activities that led to a US $14 million loss for his employer, settled an enforcement action for his conduct with the Commodity Futures Trading Commission. Mr. Lindstrom agreed to pay a penalty of US $855,000 and restitution of US $14 million. Mr. Lindstrom pleaded guilty to criminal charges related to his matter in January 2018, and will be sentenced later this year. (Click here for background in the article “Trader Indicted for Exploiting Minimum Futures Pricing Convention to Hide Trading Losses and Causing Firm Collapse; CFTC Also Files Civil Charges” in the December 2, 2016 edition of Bridging the Week.)
- CFTC Proposes to Amend Rules to Track Previously Granted No-Action Registration Relief for CTAs and CPOs; Issues Cross-Border Swaps Reform White Paper: The Commodity Futures Trading Commission proposed rule amendments to codify existing staff advisories and no-action letters to authorize commodity pool operators to easier facilitate certain off-shore business, as well as registration relief for CPOs and commodity trading advisers who are or advise family offices or are advisers of business development companies. Separately, the National Futures Association issued guidance to CTAs and CPOs to assist them to more accurately report two financial ratios – the current asset/current liability ratio and total revenue/total expense ratio on quarterly filed NFA Forms PQR and PR. Among other things, NFA noted that both ratios must be calculated using the accrual method of accounting. Additionally, CFTC Chairman J. Christopher Giancarlo issued a white paper recommending a number of cross-border swaps reforms. Mr. Giancarlo recommended that the CFTC use its exemptive authority to authorize comparatively regulated non-US clearinghouses to provide clearing services to US customers indirectly through non-US clearing members and exempt comparably regulated non-US based trading venues from registration with the CFTC as swap execution facilities, among other reforms. (Click here for background on Mr. Giancarlo’s proposals in the article “CFTC Chairman Proposes to Reform Cross-Border Swaps Rules Guidance” in the September 9, 2018 edition of Bridging the Week.)
- SEC Seeks More Views on Proposal for Security-Based Swap Dealers’ Capital, Margin and Segregation Requirements: The Securities and Exchange Commission reopened its comment period for amendments and new rules first proposed in October 2012 that address capital, margin and segregation requirements for certain security-based swap dealers and major security-based swap dealers, as well as net capital and liquidity requirements for broker-dealers who use an internal model for computing net capital. Comments will be accepted for 30 days following publication of the SEC’s proposals in the Federal Register.