Public Statements & Remarks

Remarks of Enforcement Director Ian McGinley at the City Bar White Collar Institute: “Trends in the CFTC’s Recent Crypto Enforcement Actions”

May 23, 2024

  1. Introduction

Thank you for that introduction. As is customary, I’ll start with the standard disclaimer: These comments are my own and do not necessarily reflect the views of the Commodity Futures Trading Commission (CFTC), its Commissioners, or CFTC staff.

It’s a true thrill to be here. Most of my professional career has been spent in the white collar world here in my home town. It’s also nice to see people here who have taught me so much over the years—former colleagues, former adversaries, and some people who are a bit of both. I’m honored to have the opportunity to address you all.

I’ve been Director of Enforcement at the CFTC for over a year now and there is one topic that I’ve been asked about the most by everyone: digital assets, commonly known as crypto. And I’m often asked what does the future of CFTC digital asset enforcement look like with the evolving digital assets marketplace.

Now, I do not have a crystal ball and you never know what the future holds. But today I’m going to discuss some of the recent enforcement actions we have brought, which may provide some guidance. I’ll say at the outset that the digital asset commodity space has become significantly more complex, and our enforcement efforts reflect that.

Enforcement in this space has also become a huge CFTC priority. It’s been about a decade since we brought our first digital asset case. In the last fiscal year, digital asset cases accounted for almost 50% of our docket. And the majority of our whistleblower tips last fiscal year related to digital assets. That is tremendous growth in just a decade.

Many of our initial cases were basic frauds, and with time, the scope of these cases only increased. For example, in 2022, we charged Mirror Trading and other defendants for a fraud in which the defendants stole over $1.7 billion in digital assets from its victims, which included over 23,000 victims in the U.S. In our currently pending case against Stephen Ehrlich, former Voyager CEO, we allege that Voyager lent over $650 million in customer digital assets to high-risk third parties, and that by the time Voyager filed for bankruptcy, it owed its U.S. customers more than $1.7 billion. In our pending case against Celsius and its CEO, the complaint alleges that the firm induced customers to deposit over $20 billion of assets with Celsius—and that when Celsius declared bankruptcy, its liabilities exceeded its assets by a billion dollars. And, of course, the size and scope of the FTX fraud has been widely discussed.

I should also note that for many of these cases, we worked in parallel with the Department of Justice, SDNY, and the SEC. I’m glad to see so many of our partners here today. Cooperative enforcement has been—and continues to be—a priority for the CFTC.

While we continue to bring fraud cases, the landscape is changing. The digital asset marketplace has matured greatly in the sixteen years since the Satoshi white paper: the global digital asset market cap is now over $2 trillion. The players, the regulatory issues, and, in some instances, the violative conduct have become much more sophisticated. And as the digital asset environment becomes more complex, moving from individuals holding a token in a wallet to an environment with domestic and foreign self-described exchanges, prime brokers, ETFs, decentralized platforms and, increasingly, the participation of the full range of traditional financial firms, the tools we use and the kinds of issues we focus on are also becoming more complex.

From my perspective, there are at least three topics relating to digital assets beyond fraud and manipulation cases that have been a focus for the Division in recent cases we have brought.

First, we are focused on individuals and entities that seek to evade our rules. We have an anti-evasion provision, Regulation 1.6, which makes it unlawful to conduct activities outside the United States in order to willfully evade or attempt to evade certain provisions of the Commodity Exchange Act. We used this regulation for the first time in our landmark Binance case and will use it again where appropriate.

Second, we are focused on third-party intermediaries who may connect U.S.-based market participants to unregistered and lawbreaking entities. Our recent enforcement action against Falcon Labs is an example, which I will discuss shortly. This was our first action against an intermediary in the digital asset space.

And third, there is always a focus on compliance with the full range of our regulatory requirements—and this applies both to firms that do register with us and firms that should have but did not. For example, if you are acting as a futures commission merchant or an introducing broker—two types of registrants in our space—we will be looking carefully to make sure you are complying with our Know Your Customer (“KYC”), Anti-Money Laundering (“AML”), and other regulatory requirements.

Now let’s turn to these areas of focus.

  1. Anti-Evasion

The Commission under the Dodd-Frank Act implemented an anti-evasion regulation. That Regulation, Regulation 1.6, prohibits conducting activities outside the United States to willfully evade certain provisions of the Commodity Exchange Act and its regulations. And it is particularly applicable to some actors in the digital asset space who may tout that they are not subject to U.S. regulation, including KYC and AML requirements. Regulation 1.6 strikes directly at those who use this tactic and try to undermine CFTC regulations and harm U.S. persons.

The importance of Regulation 1.6 is shown in our landmark litigation against Binance, its former CEO, and its former Chief Compliance Officer. That case resulted in changes in executive leadership at the firm, extensive undertakings for Binance, $2.85 billion in combined monetary relief to the CFTC—and a total of $4.3 billion in relief paid across U.S. agencies. Binance is emblematic of our approach to those who seek to circumvent the U.S. regulatory system. Working in parallel with criminal authorities, we sued Binance, its then CEO, and its former Chief Compliance Officer, alleging that Binance had actively solicited both retail and institutional customers in the United States to become Binance clients and enter into digital asset derivatives transactions through Binance. The complaint alleges that Binance took deliberate steps to solicit those customers and to evade CFTC regulation. For example, Binance and its officers instructed customers to use virtual private networks, or VPNs, to obscure their location, allowing those customers to continue trading because, for a long time, Binance did not require its retail users to submit any identity-verifying information. Binance also coached its corporate customers to evade the controls Binance itself had put in place by creating shell companies and trading through those shell companies.

The allegations here are eye-catching: the complaint references a communication describing the Binance CEO’s view of choosing not to comply with U.S. law as a quote-unquote “biz decision.”[1] The ultimate resolution, a $4.3 billion resolution including $2.85 billion in CMPs and disgorgement to the CFTC by Binance—shows how both we and our law enforcement partners viewed the gravity of this conduct.

One lesser remarked upon element of the complaint was that Binance evaded U.S. regulation in part through the use of least two prime brokers. The use of the prime brokers made it easier for U.S. customers to access Binance even though Binance had taken steps to superficially restrict access to its platform. The resolution put a stop to this: Binance certified that any customer that seeks to open an account or sub-account would have to satisfy Binance’ s onboarding process including all KYC Policies. And Binance had to certify that it applied its KYC policies and procedures to all subaccounts—like those managed by prime brokers—and had offboarded all retail and corporate sub-accounts that failed to meet Binance’s compliance controls and criteria.

  1. Intermediary Liability

Intermediary liability is another area of focus. The Commodity Exchange Act and our regulations contain certain categories of conduct that require an entity to register with the Commission. Without taking you through our entire regulatory alphabet soup, there are multiple kinds of activities that require registration.  These activities can include not only offering transactions in digital asset derivatives—which could require registration, but also potentially passing along the instruction to transact or otherwise facilitating a digital asset derivative transaction in some way.

The main example of activity requiring registration is the activity of a futures commission merchant, which is basically the equivalent of a stock broker in the commodity space. The Commodity Exchange Act states that if you act as an FCM, you must register with the Commission. This category can be especially pertinent for digital assets, where there are now many firms offering different futures, options, and swaps related to digital asset commodities.

One important recent example is Falcon Labs Ltd. Falcon described itself on its website as the “largest digital asset prime brokerage.” Falcon offered a product it called “Edge” to institutional customers—including customers in the U.S. Edge provided some of Falcon’s customers with direct access to digital asset exchanges to trade derivatives, including futures and swaps. Falcon maintained accounts with various digital assets in its own name—but created sub-accounts for customers. Falcon Labs typically submitted verifying information to digital asset exchanges about its own accounts, but generally didn’t provide information about the ownership of sub-accounts created for customers. Falcon would then let customers who posted margin to Falcon trade directly with the exchange. In short, Falcon made it possible for U.S. customers to directly access unregistered digital assets exchanges even if the exchanges’ own procedures would have stopped the U.S. customers from doing that. The Commission’s order found that for roughly 17 months U.S. customers took advantage of that access and, through Falcon, traded digital asset derivatives directly with digital asset exchanges, including Binance. The Order thus found that Falcon undertook activities that require registration as a futures commission merchant without actually registering as a futures commission merchant. Although Falcon Labs’ Edge product was relatively novel, the charge in the case—a failure to register—is one of the oldest on the CFTC’s books.

I should note that the resolution in Falcon was a significant one. The order required disgorgement of the fees earned by Falcon—almost $1.2 million ($1,179,008)—as well as an almost $600,000 CMP ($589,504). But it would have been a higher penalty without the cooperation and remediation that the firm undertook. The order notes that after the Commission filed the Binance complaint, Falcon voluntarily changed and enhanced the approach it took to KYC and customer identification programs. And Falcon represented that its application of enhanced KYC policies and procedures resulted in Falcon Labs off-boarding approximately half of its customers. The Order also notes Falcon’s substantial cooperation and appropriate remediation, and notes that the Commission recognizes that cooperation and remediation with a reduced civil monetary penalty. As I’ve discussed recently, the benefits of cooperation and remediation are real, and this case is an example of that.

One additional thing to note about intermediaries—the Commodity Exchange Act contains aiding and abetting language modeled after 18 USC Section 2, the federal criminal aiding and abetting statute.[2] Under the Act, “[a]ny person who commits, or who willfully aids, abets, counsels, commands, induces, or procures the commission of, a violation” may be held responsible for such violation as a principal. 7 U.S.C. § 13c(a). Thus, to the extent an intermediary is aiding and abetting others in violating our longstanding laws, that intermediary may also face liability, depending on the facts and circumstances of the matter.

  1. KYC, AML, CIP and other Supervisory Claims

The third area of focus is ensuring that firms who are required to register comply with the full range of regulations. If you are conducting business that requires registration, it follows that you also generally have to comply with the regulatory requirements for registrants. So if you are, for example, conducting business that requires registration as an FCM, you also have to comply with the regulatory requirements for FCMs.

Now, those requirements can be complex for digital asset derivatives firms. While there may not be an overarching regulatory regime for digital assets, there is a complex regulatory regime for those who transact with U.S. customers in digital asset commodity derivatives. And that regime governs futures commission merchants and introducing brokers. As an aside for those not familiar with introducing brokers, they are, in short, firms or individuals that accept client orders, but don’t accept money or other assets for executing the order. They can be thought of as the middleman between the customer and the FCM. And, like FCMs, introducing brokers are subject to various anti-money laundering and know your customer requirements as well as regulatory obligations to diligently supervise their business as registrants. And those AML, KYC, and supervisory obligations can have a sweeping effect on a business, particularly businesses that are created with speed, automation, and anonymity in mind. The law requires, for example, entities that need to register as an FCM or introducing broker to also have formal customer identification programs so they know who their customers are and where they are from, and to establish anti-money laundering programs. Those types of registrants also have to report suspicious activity, apply enhanced due diligence to certain account types, actively supervise their businesses on an ongoing basis, and take many, many other steps.

Now in this room it isn’t shocking that entities like FCMs and IBs that facilitate customer-facing financial transactions have to know their customers, have AML programs, and have effective supervisory systems, but again and again we see firms conducting activities that require registration without even the pretext of complying with regulations.

One well-known example is Ooki DAO. There, the founders of the DAO’s predecessor created a for-profit trading platform allowing users anywhere in the world to enter into certain transactions within the CFTC’s jurisdiction. The founders apparently viewed their platform as beyond the law, touting the lack of KYC or AML verification as a feature. The founders then made their evasive purpose clear when they moved control of the trading protocol from an LLC to a DAO—a decentralized autonomous organization—controlled by certain token holders who had the right to vote on all of the ordinary business questions that the corporate structure had handled before. The founders explicitly stated that their goal in creating a DAO was to “future proof” the protocol so that when regulators came, the DAO could claim no one could do anything because control had been given to the community.

We responded by issuing an order settling charges against the founders and the DAO’s predecessor company and filing a complaint against the DAO itself, ultimately prevailing in a precedent-setting litigation.[3] The court ruled that the Commission can sue and serve DAOs and that DAOs are persons under the Commodity Exchange Act. And the court found that this particular DAO violated the law in multiple ways, including by unlawfully offering transactions outside of a registered exchange, unlawfully acting as an FCM without registering, and failing to conduct KYC activities or comply with AML requirements.[4]

Likewise, we have taken steps against other exchanges who have structured themselves technologically—through decentralization—in ways that are outside of the traditional structure of exchanges. Like the Ooki DAO, these are Decentralized Finance or “DeFi” firms, who instead of having a business that takes custody of customer assets, offer customers the ability to transact directly with third parties. But the CEA provides that anyone offering products like the digital asset derivatives transactions offered by some DeFi platforms must do so on a CFTC-registered platform. And a platform, whether it’s called a DeFi platform or not, must comply with required core principles designed to protect customers. And if the platform is doing business requiring registration as an FCM or IB, it can be offered only to customers consistent with the required “know your customer” and “AML” rules. The Commission has resolved cases with multiple DeFi platforms –namely Polymarket, Derridex, Opyn, and ZeroEx—and each time found that the firms had engaged in activities that require registration without having registered, and in each case getting the platform to agree to cease the unlawful aspects of their operations and pay civil monetary penalties.

  1. Concluding Thoughts

In conclusion, there is, at least for the foreseeable future, an enormous public interest in digital assets. It is our job at the CFTC—and crucial to our mission—to ensure that digital asset derivative products are only offered to U.S. market participants through appropriately registered and regulated firms. For the regulatory system to function, there must be a level playing field. If there are ways to subvert the regime by offering similar products not subject to the CFTC’s core principles and other requirements including customer protections and market practice rules, the foundations for the regulatory system are weakened. So, to support that regulatory system, we will continue to use our enforcement tools to ensure that all products under our jurisdiction are only traded by and through appropriately registered firms and that those firms are complying with the Commodity Exchange Act and our regulations.

Thank you for your time today.


[1] Press Release Number 8680-23, CFTC, CFTC Charges Binance and Its Founder, Changpeng Zhao, with Willful Evasion of Federal Law and Operating an Illegal Digital Asset Derivatives Exchange (March 27, 2023) CFTC Charges Binance and Its Founder, Changpeng Zhao, with Willful Evasion of Federal Law and Operating an Illegal Digital Asset Derivatives Exchange .

[2] See In re Richardson Secs., Inc., CFTC No. 78–10, 1981 WL 26081, at *5 (Jan. 27, 1981) (“The section was modeled after the federal criminal aiding and abetting statute, 18 U.S.C. § 2.”); see also Bosco v. Serhant, 836 F.2d 271, 279 (7th Cir.1987) (noting “that the aiding and abetting provision was modeled on, and was intended to be interpreted consistently with, the federal statute that makes aiding and abetting a crime, 18 U.S.C. § 2”).

[3] See Press Release Number 8590-22, CFTC, CFTC Imposes $250,000 Penalty Against bZeroX, LLC and Its Founders and Charges Successor Ooki DAO for Offering Illegal, Off-Exchange Digital-Asset Trading, Registration Violations, and Failing to Comply with Bank Secrecy Act (Sept. 22, 2022), CFTC Imposes $250,000 Penalty Against bZeroX, LLC and Its Founders and Charges Successor Ooki DAO for Offering Illegal, Off-Exchange Digital-Asset Trading, Registration Violations, and Failing to Comply with Bank Secrecy Act | CFTC.

[4] See Press Release Number 8715-23, CFTC, Statement of CFTC Division of Enforcement Director Ian McGinley on the Ooki DAO Litigation Victory (June 9, 2023), Statement of CFTC Division of Enforcement Director Ian McGinley on the Ooki DAO Litigation Victory | CFTC.

-CFTC-