Public Statements & Remarks

Keynote Address by Commissioner Christy Goldsmith Romero at The Wharton School and the University of Pennsylvania Carey Law School

Crypto’s Crisis of Trust: Lessons Learned from FTX’s Collapse

January 18, 2023

Remarks as Prepared for Delivery

It’s great to be back at school.  I served as an adjunct professor at Georgetown Law, teaching an advanced securities law and SEC class.  Over time, the focus of the class involved more cryptocurrency issues.  I then developed and taught a cryptocurrency regulation class at the University of Virginia Law School.

Let me give two standard disclosures as a federal official.  First, my views are my own as a Commissioner and do not necessarily reflect the views of the Commission or my fellow Commissioners.  Second, as a 20-year federal law enforcement official, I give the standard law enforcement disclaimer that charges are allegations and that defendants have the right to a fair trial.

The focus of this conference is FTX’s bankruptcy, and to put that in the larger context, today I am going to talk about trust.  I’ve been thinking about why FTX’s bankruptcy is so shocking and upsets people, even those who have not lost any money.  My theory is that this shock has to do with a violation of trust.  FTX and its founder Samuel Bankman Fried focused so much of their messaging on the idea that FTX and Mr. Bankman Fried could be “trusted” and that FTX was a “safe” and responsible haven in the crypto markets.

Today, I am going to talk about how the crypto industry is in a crisis of trust.  I will discuss how FTX chased the public’s trust, gained it, and then violated it.  I will discuss how FTX’s violation of trust deepened an existing trust deficit for the crypto industry.  I will point out seven lessons to be learned from FTX’s collapse.  These include, for example, how gatekeepers failed customers in the unregulated crypto market and serious questions surrounding the due diligence by venture capital, pension, hedge funds, and other equity investors.

I will also give seven proactive steps that I believe the crypto industry will need to take if it wants to regain any amount of public trust—steps that will also protect customers and promote market integrity.  Finally, I will share my thoughts on potential future legislation.

Lesson 1:  Financial markets are heavily dependent on public trust.  Despite crypto’s origin as a trustless system, investors and customers have come to trust centralized exchanges for access to crypto markets.

Financial markets are heavily dependent on public trust.  Without that trust, financial markets would not be able to help entrepreneurs and companies raise capital and manage risk.  When financial markets and key institutions lose the public’s trust, capital flight follows and economic activity slows.

There have been many times when the public’s trust in financial markets has been severely diminished.  High-profile scandals involving accounting frauds, market manipulation, and outright theft and fraud have been committed by “trusted” financial professionals.  There was an erosion of public trust in Wall Street and the financial system during the financial crisis.  Wall Street had failed too many working families who suffered while watching the very people on Wall Street who caused their suffering get bailed out through the Troubled Asset Relief Program (“TARP”).[1]

Cryptocurrency was borne out of the 2008 erosion of public trust in Wall Street and the traditional financial system (“TradFi”).  On Halloween 2008, soon after Congress approved TARP, Satoshi Nakamoto released his vision of a “trustless” peer-to-peer electronic cash system.  It envisioned a new system that was not reliant on trusted third parties.

Despite Satoshi Nakamoto’s vision of crypto as a trustless peer-to-peer cash system, crypto investors and customers have shown a preference to rely on “trusted” centralized exchanges to provide access to crypto markets.  Given crypto’s history of fraud and dark net crime, it is understandable that investors and customers look for someone they can trust.  Customers also want convenience and security and to rely on someone else for technical proficiency.[2]

The number of centralized crypto exchanges has grown alongside mainstream interest in crypto by retail customers.  As competition for market share has increased, exchanges have sought to attract customers with promises centered on trust.

Lesson 2:  FTX sought public trust by messaging itself and its founder as trustworthy.  Celebrity endorsements and social media added to retail customers’ trust in FTX and other exchanges.

FTX sought public trust as a way to establish market and investor confidence and ultimately, to grow its business.  Its public messaging centered around FTX and its founder Samuel Bankman Fried being trustworthy.  Through Congressional hearings, meetings with regulators, and public statements through social media and interviews, FTX projected an image of a company that didn’t want to operate in the dark.  It said it wanted to play by the rules, and be regulated.

FTX messaged to potential retail customers that it was trustworthy—a haven in a crypto market suffering from a trust deficit.  FTX messaged that it could be trusted more than others in crypto, particularly by regular people.  In September 2021, FTX ran ads featuring quarterback Tom Brady and his wife, supermodel Gisele Bündchen, with the tagline, “Crypto.FTX. You in?”  In the ad, Brady calls people to tell them about FTX, not famous people mind you, but regular people:  a dogwalker, a fishmonger, a guy in a hard hat, a mechanic, a cook, a plumber, and a bartender.

[Play commercial]

Then, the pitch, “FTX: The most trusted way to buy and sell crypto.” [3]

FTX Logo

It is now abundantly clear that FTX is not a trusted way to buy and sell crypto.  But when this ad aired, FTX had already cultivated a fair amount of trust from the public.

This ad, played today, feels like a violation of trust.  Now, this formerly $32 billion company (reportedly) is one of the largest financial industry bankruptcy filings in history.  There are likely more than one million creditors.[4]  After being brought in to preserve value in FTX for customers and other creditors, current FTX CEO John J. Ray III testified, “This is really old fashioned embezzlement.  This is just taking money from customers and using it for your own purpose . . . . This isn’t sophisticated whatsoever.  This is just plain old embezzlement.”[5]  FTX’s founder and other executives are facing criminal prosecutions and civil prosecutions by the CFTC and SEC.  Damian Williams, the U.S. Attorney for the Southern District of New York, described the charges as “one of the biggest financial frauds in American history.”

FTX had financial support for its campaign to build trust.  Some venture capital firms (and other investors) knowingly funded this trust campaign.  In a now-deleted piece on its website, Sequoia Capital posted the following:

Alameda was not immune to the exchange-level shenanigans that gave crypto as a whole its sleazy reputation.  But FTX had an ambition to change that.  It was built to be the exchange traders could count on.  SBF needed to get the word out.  He wanted FTX to be known as the respectable face of crypto.  This required ad campaigns, sponsorship deals, a charitable wing—and a war chest to pay for it all.

FTX did need the money, after all.  And it needed that money from credible sources so it could continue to distinguish itself from the bottom-feeders who came to crypto to fleece the suckers.[6]

FTX appears to have used Sequoia as a credibility and trust enhancer, and it used Sequoia’s money to embark on a campaign to gain public trust and distinguish itself as the most trusted brand in crypto.

It appears that Sequoia at least knew its money would be used in this fashion.  However, there are serious questions and allegations about whether this public-relations “war chest” was funded not only by venture capital money but also customer property.  If those allegations prove to be true, this could be one of the most significant breaches of trust in financial history.

The multi-dimensional public relations campaign was meant to build the public’s trust in FTX.  And I have not discussed all elements of that campaign.  There were rumored efforts to influence charities and policy advocacy groups. There were efforts relating to FTX’s extensive legal and political spending; and even an alleged investment in a crypto news site.  All of this appears to be part of a branding campaign designed to make FTX appear trustworthy.

FTX’s violation of the trust it built through this campaign deepened the trust deficit for an unregulated crypto industry already badly damaged by the collapse of TerraUSD, Three Arrows Capital, Celsius and Voyager.  The crypto industry is left with a crisis of trust.

Lesson 3:  The digitization of financial services and products, which accelerated during the pandemic, brought convenience but also a presumed trust in crypto exchanges with name recognition—trust that FTX violated.

In the early years, crypto was traded by mostly crypto enthusiasts, but in recent years, there has been more mainstream adoption by retail customers.  FTX and others in the crypto industry have focused tremendous resources on building, capturing, and monetizing demand for crypto.

FTX was founded just before the onset of the pandemic—a pandemic that accelerated the digitization of financial services.  Customers wanted convenient electronic methods for financial transactions and became more adept at online platforms and phone apps for financial services.

Growth in the crypto industry soared during the pandemic to a reported $3 trillion valuation.   People were at home and spent significantly more time online and on social media.  Many people had additional disposable income that they were not spending on restaurants, events or shopping.  Crypto exchanges brought the convenience of matching up buyers and sellers and an easy lending source.  Crypto exchanges provided platforms through apps that gave customers a feeling of ease and safety—similar to what customers felt with traditional investing platforms and apps.

For many investors, an app providing access to an unregulated crypto exchange looks, feels, and operates exactly like an app providing access to a highly regulated financial institution.  Side by side, these apps seem to provide similar services.  The risks to the customer, however, are dramatically different.  Many customers, including regular people, poured into the crypto markets without access to the information they needed from crypto exchanges to know, much less accept, the risks.  Many of them may not have known that the industry was largely unregulated.

Customers of FTX undoubtedly had varying reasons for investing in crypto.  However, some customers likely started to trade in crypto out of the Fear of Missing Out (“FOMO”).  FOMO is an extremely motivating human emotion.  This was especially true during the pandemic, where people felt like they were missing out on many things.  Many also were motivated by a philosophy that You Only Live Once (“YOLO”), a common refrain on Twitter and in Reddit forums at times encouraging investors to take outsized risks for their circumstances.  YOLO may have had special appeal in the midst of a pandemic that took too many lives too soon, where people may have become more interested in seizing cutting edge and risky opportunities because life is too short.

The apex for mainstream adoption of crypto may have been the Superbowl commercials run by crypto companies in early 2022.  Fueled by an extraordinary bull run for crypto assets, those commercials, along with celebrity endorsements, played on both FOMO and YOLO and created a buzz that crypto already had mainstream adoption by the “in crowd”—the people who “got it” and were “in the know.”  Kim Kardashian, DJ Khaled, Katy Perry, Gwyneth Paltrow, Floyd Mayweather Jr., Mike Tyson, Jamie Foxx, Larry David, and Matt Damon are some prominent celebrity endorsers of crypto.

Who can forget Crypto.com’s Superbowl commercial featuring Matt Damon that seemed to shame anyone with doubts as cowardly, exalting the “others” as those who “embrace the moment and commit.”

[Play commercial]

“And in these moments of truth, these men and women, these mere mortals just like you and me, as they peer over the edge, they calm their minds and steel their nerves with four simple words that have been whispered by the intrepid since the time of the Romans: Fortune Favours the Brave.”[7]  Brave about what exactly? The risks associated with crypto?

FTX’s Superbowl commercial in early 2022 played up the exchange’s safety and convenience for people that may be new to crypto.[8]

[Play commercial]

In the commercial, an actor tells Larry David that FTX is a “Safe and easy way to get into crypto.”  We know now that FTX was not safe, and we also know that early 2022 was probably not the ideal time to “get into crypto,” given that crypto markets have since broadly deteriorated.

FTX played on potential customers’ FOMO and YOLO and even likened those on the sidelines of the crypto markets to Luddites and small-minded critics.  At the end of the commercial, large on the screen is the saying, “Don’t Miss Out on Crypto,”

Don't Miss Out on Crypto FTX

and then it says “Don’t Miss Out On the Next Big Thing.”

Don't Miss Out on the Next Big Thing FTX

The ads worked, according to a graph showing the pace of an increase in FTX users tweeted by then-FTX.US President on March 14, 2022.[9]

Graphic of Total FTX US Users

The ads, celebrity endorsements, and other buzz surrounding FTX and crypto fueled significant interest by customers.  This may be (likely), in part, because FTX said that regular people on the sidelines were missing the next big thing.  FTX could be trusted to get you in on it and was safe and easy to use, according to FTX.

On too many occasions, crypto exchanges, like FTX, have proven themselves to be untrustworthy.  This is shown by a string of enforcement actions.  This is also shown by the fact that basic customer protections are often missing in the crypto industry.  Disclosures are often non-existent, incomplete, confusing, or buried, leaving customers uninformed of their rights and risks.

Customers are often not informed about one of the most foundational customer protections—whether customer assets will be safeguarded from the company’s use.[10]  CEO Ray said that FTX commingled customer assets with company assets.[11]

Unfortunately, the use of omnibus accounts that include customer and exchange funds is a commonly used business model of unregulated crypto exchanges—a model that could present serious risk of loss to customers even today.  As I have warned, user agreements posted online for Coinbase and Kraken, two of the largest digital asset exchanges in the world, appear to authorize the commingling of customer and exchange assets.[12]  This suggests that commingling is widespread throughout the unregulated crypto markets.  The commingling of customer and company funds presents a significant threat to customers that can leave customers in a musical chairs dilemma and lead to the risk of a run on the crypto company.

A recent landmark decision in the Celsius bankruptcy sends a clear warning signal that customer deposits will not be protected if the user agreement does not provide for that protection.  This month, Chief Bankruptcy Judge Martin Glenn ruled that Celsius owned $4.2 billion in customer stablecoin and other deposits made in connection with its “Earn” program, not the customers who deposited crypto into their accounts.[13]  This left approximately 600,000 Celsius customers holding only general unsecured claims, without bankruptcy priority.

In my conversations with Congress and others, I continue to stress the importance of a complete ban on commingling customer and company funds as the single most important customer protection needed in crypto.  In addition, I continue to stress the need for customer bankruptcy priority.  Congress could implement those recommendations, but that could take time as it navigates a host of crypto policy issues.  Even without new legislation, the crypto industry can end commingling, and the private sector can demand that they do so.

The crypto industry should also improve disclosures and deliver disclosures in a manner that is effective to inform customers of their rights and risks.  Due to the poor quality of disclosures, clever drafting of exceptions in legalese or fine print, or in some cases fraud, customers may not understand their rights or risks with cryptocurrency, including that their property could be commingled with company funds.  I am not saying that TradFi is the best at disclosures, but the crypto industry has the opportunity to improve over TradFi.

E-disclosures present opportunities for convenience but also significant challenges in providing effective disclosures.  In a digitized world using phone apps for financial transactions, users may scroll through electronic disclosures and click a box that they agree, without reading or understanding them, giving away their rights.  These “clickwrap” agreements are generally upheld, as they were with the bankruptcy judge in Celsius who ruled that the user agreements were unambiguous that customer deposits belonged to Celsius.[14]

Commercials or other video ads that flash disclosures onscreen for a moment have always been concerning.  Think of FTX’s fine print on its Superbowl ad, “This is not an investment recommendation.  Cryptocurrencies are highly volatile, are subject to significant risks and may not be suitable for you.  Not available in all jurisdictions.”

Investment advisors (“IAs”) and brokers could also increase their responsibilities in this area to help people become informed about their rights and risks, and help them choose suitable investments.  And they should do so in an inclusive manner.  The securities markets provide a useful guide.  Investment advisers and brokers in regulated TradFi markets have fiduciary (or best interest) duties to their clients.  They help clients determine what is a suitable investment based on their risk profile.  Online brokers limit customer options based on the customer’s risk profile, helping prevent customers from taking outsized risks for their circumstances.  Removing these IAs/brokers in a customer-direct-to-exchange model (like when a customer trades on an exchange’s app) removes those with professional licensing and duties to customers (and in certain cases, may also impact customers’ bankruptcy priority).  Given the high risk and volatility in cryptocurrency, customers can benefit from using these professionals, someone with a duty to them, not the crypto company.

Lesson 4:  Good corporate governance, starting with tone-at-the-top, is necessary to establish and keep trust.

Good corporate governance protects customers, investors, the company, its counterparties, and the integrity of markets.  It requires a tone-at-the-top.  It requires leadership that values controls and transparency, and to those ends, accurate books and records.  It requires an independent check on management.  Good corporate governance serves as a meaningful check on the “cult of personality” of corporate founders.

Good corporate governance can reduce the risk of, and expose, unlawful misconduct.  I am a 20-year law enforcement official who led a law-enforcement office with white collar criminal prosecutions of more than 460 defendants, including more than 100 bankers.  In my experience, the lack of accurate books and records, or controls, is often a red flag for fraud.

Many within the unregulated crypto industry appear to lack good corporate governance, adding to the crisis of trust.  This crisis of trust has been a consequence of an unregulated market environment in which centralized crypto companies were not required to have good, independent corporate governance that investors expect in traditional finance.

FTX was no exception.  Within weeks of joining FTX, current FTX CEO John J. Ray III testified before Congress, “never in my career have I seen such an utter failure of corporate controls at every level of an organization, from the lack of financial statements to a complete failure of any internal controls or governance whatsoever.”[15]

He testified, “the FTX Group’s collapse appears to stem from the absolute concentration of control in the hands of a very small group of grossly inexperienced and unsophisticated individuals who failed to implement virtually any of the systems or controls that are necessary for a company that is entrusted with other people’s money or assets.”[16]

FTX lacked independent governance that could serve as a check on its founder or other executives.  CEO Ray testified, “There’s no independent board.  We had one person controlling this.”[17]  There was no independent check on management.

Independent, good governance is a fundamental way for the crypto industry to begin to repair the trust deficit, while protecting customers and promoting market integrity.  My concerns today are not limited to high-profile meltdowns, like FTX, that demand better corporate governance.  Concerning practices continue throughout the industry.

Markets can increase trust by exalting companies with good corporate governance.  Equity investors such as venture capital firms and institutional investors can demand good corporate governance.  This would have a dual benefit of giving the crypto industry a financial incentive to improve corporate governance, while also fulfilling fiduciary duties that venture capital firms and some institutional investors owe to their clients.  If they do so, customers and markets will be better protected.

Lesson 5: Gatekeepers failed customers in the unregulated crypto market.

The crisis of trust in the unregulated crypto markets also results from an environment where lawyers, accountants, auditors, compliance professionals and other gatekeepers for crypto firms failed customers in their essential duties.  There is no shortage of lawyers working for unregulated crypto companies, including former federal government lawyers.

In traditional finance, these gatekeepers have an important role to play in protecting customers, investors and market integrity.  The role of the gatekeeper is to promote good corporate governance, instill operational discipline, ensure compliance with required standards and the law, and prevent and detect fraud and other unlawful activity.

In the aftermath of what started with Terra/Luna and now with FTX’s collapse, the role of the gatekeeper in crypto companies should be enhanced.  The best run crypto exchanges, brokers, and so-called stablecoin issuers should empower gatekeepers, even in the absence of a regulatory mandate.

Gatekeepers themselves also need to step up and call for compliance, controls, and other governance, without allowing the promise of riches and the company’s marketing pitch to silence their objections to obvious deficiencies.  It will take gatekeepers speaking truth to power, or choosing to leave firms that do not take their responsibilities to customers seriously—something that as a former Inspector General, I know takes a lot of courage.  But it is necessary if the industry (and their gatekeepers) wish to restore any semblance of trust.  Most importantly, it is necessary to protect customers and promote market integrity.

FTX operated in a manner that simply should not be possible in the presence of appropriate independent governance and gatekeepers, even in an unregulated environment.  CEO Ray testified to Congress, “I’ve just never seen an utter lack of record keeping.”[18]  FTX reportedly had few controls to ensure accurate financial recordkeeping.  CEO Ray told the bankruptcy court that he did not think it was appropriate to rely on FTX’s audited financial statements.[19]  Financial statements of some of the companies had an auditor opinion from a firm not well-known whose website said, “first-ever CPA firm to officially open its Metaverse headquarters in the metaverse platform Decentraland.”[20]  Financial statements of Alameda were not audited.

CEO Ray also told the court that, “The FTX Group did not keep appropriate books and records, or security controls, with respect to its digital assets.”[21]  A lack of records and controls creates problems in protecting customers, uncovering or unwinding fraudulent transfers, and can obscure, if not enable, bad acts.  CEO Ray discussed unacceptable management practices found, including the use of software to conceal the misuse of customer funds.  No experienced, well-regarded accountant could long continue with a firm operating in this manner.

I have warned that crypto companies have conflicts of interest with affiliates as well as contagion risk.  CEO Ray testified to Congress, “The operations of the FTX Group were not segregated.  It was really operated as one company.  As a result, there’s no distinction virtually between the operations of the company and those who controlled those operations.” He continued, “There were virtually no internal controls and no separateness whatsoever.”[22]

FTX had an opaque web of affiliated corporate companies with conflicts of interests.  While one would expect to see affiliates in companies operating throughout the world, one would also expect to see significant and transparent operational, financial, and other lines drawn around each of those corporate entities, with internal controls on crossing those lines and records of inter-affiliate transactions.[23]  Instead, FTX had an opaque web of more than 100 affiliates, a lack of financial records, outsourced accounting, payments through an online chat platform, and a general lack of internal controls.  This included a lack of a centralized cash management system, with approximately 216 bank accounts at 36 banks worldwide, some of which had unknown balances.[24]

CEO Ray also testified, “The operation of Alameda really depended, at least on the way it was operated, on the use of customer funds.  That’s the major breakdown here.  Funds from FTX, which was the exchange for non-U.S. citizens, those funds were used for Alameda to make investments and other disbursements.”[25]

Gatekeepers should have seriously questioned the operational environment at FTX in the lead-up to its meltdown.

Gatekeepers should also ensure that transactions involving insiders are timely reported, independently reviewed and approved, and accurately recorded.  CEO Ray testified, “The loans that were given to Mr. Bankman Fried were not just one loan, it was numerous loans, some of which were documented by individual promissory notes. There’s no description about what the purpose of the loan was.  In one instance, he signed both as the issuer of the loan as well as the recipient of the loan.”[26]

That is a failure of a crypto industry that has not sufficiently recognized its responsibilities associated with holding customer funds.  It is a failure of an industry that has not empowered gatekeepers.  In some cases, it is a failure of the gatekeepers themselves.

Lesson 6:  There is also a trust deficit with venture capital firms, pension funds and other large equity investors who owe fiduciary duties to their clients to conduct due diligence.

Although FTX’s list of creditors has not been published, various outlets have estimated large investors based on public disclosures.  At least one outlet estimates three large FTX capital raises from the summer of 2021 through January 2022.[27]  This included an approximate $900 million to $1 billion capital raise from Paradigm, Sequoia Capital, SoftBank, Singapore-owned Temasek, Insight Partners and others for FTX to reach an $18 billion valuation.[28]

Three months later, FTX reportedly raised an additional $420 million in capital from the Ontario Teachers’ Pension Plan Board, Temasek, Sequoia Capital, Sea Capital, IVP, Blackrock and others to reach a $25 billion valuation.[29]  In January 2022, FTX reportedly raised an additional $400 million in capital from Temasek, Paradigm, IVP, and others to reach an estimated $32 billion valuation.[30]  Some reportedly have marked their interest down to zero.[31]

Bar Graph of the Rise Before the Fall

Questions surround the due diligence conducted by these large equity investors in this unregulated company.  Many equity investors would have had fiduciary duties to their clients and investment guidelines.  There should have been red flags in any amount of basic due diligence. 

Questions arise whether these investors turned a blind eye when conducting due diligence to facts that would normally serve as flashing red lights because of the promise of innovation, hype surrounding FTX, and what is now understood to be misplaced trust in FTX and its founder.  There may be incentives to turn a blind eye in a competitive market where there is abundant capital to deploy.  Also, in a highly connected industry, there may be conflicts in a firm fulfilling its fiduciary duties—conflicts that must be resolved.

It is important that these investors take their responsibility to conduct due diligence seriously.

I became very concerned about the lack of basic due diligence that I was hearing from managed funds and other equity investors who told me they were interested in investing in crypto and asked me about the due diligence they should conduct.  I became so concerned that I issued warnings at a Managed Funds Association conference in early October 2022, warning that basic rules of the road were often not present in crypto, including segregation of customer assets and resolution of conflicts of interest.  I followed that a week later in a formal speech to Wall Street, warning about these same risks and the parallel themes to 2008 that I observed.[32]  At both events, I warned that these were unregulated markets.

In my experience as a federal regulator, digital asset firms are very good at pitches, particularly pitches about how innovative their product or service is compared to others.  However, as a regulator, I am not interested in a pitch but instead in customer protections and promoting market integrity.  In my experience, digital asset companies have a much harder time facing exacting questions about standard governance and accountability requirements that are expected of traditional finance.  Industry answers on the robustness of know-your-customer, anti-money laundering, audit, and conflict-of-interest resolution practices have not held up.  Moreover, despite my repeated warnings about the absence of specific customer protections for segregation of customer assets, user agreements for large crypto spot exchanges contain language that seemingly involves commingling customer assets in omnibus accounts or wallets.

These and other issues that I and colleagues in the U.S. government have raised in recent months require a responsible industry response should the industry wish to regain any amount of trust.  The concerning lack of appropriate due diligence and related fallout from FTX’s collapse hurt FTX investors and customers.  The industry is facing a crisis of trust, which has led to the pullback of venture capital firms and other investors from the crypto markets as a whole.

Consider data from research firm, PitchBook, showing that venture capital investment in the crypto industry has plunged to its lowest level in two years:[33]

 

Graph Bar Crypto Venture Capital Dips Further Post-FTX

[34]

It seems that even the institutional and high-net worth investors directly and indirectly owning, advising, and hyping many of the most prominent crypto firms have had their trust shaken as well.[35]

Lesson 7:  Hackers will seek to exploit crypto companies with customer funds.  Sound custody practices and strong cybersecurity are necessary to restore trust and protect customers.

Digital assets heighten the risk of cyber attacks, raising the critical importance of strong cybersecurity.  A cyberhack and theft destroys trust with customers, investors and the market.  Throughout 2022, with cyberhacks at record numbers, I have implored crypto companies to increase their cybersecurity, including against attacks on cross chain bridges.[36]

On the day the bankruptcy was filed, FTX reportedly suffered a cyber hack losing $372 million in cryptocurrency.[37]  FTX hired cybersecurity professionals to help it identify the person or entity making the unauthorized transfer.  In addition to what was lost, there were other attempts to access FTX’s digital assets and data, and FTX implemented defensive measures.[38]  In order to prevent further cyberattacks, FTX entered into custodial services to store digital assets in cold wallets (that is, on platforms not connected to the internet).[39]

Equity investors and other crypto market participants can take steps to insist on sound custody practices and cyber resilience at exchanges.  One path is for them to demand regular updated Systems and Operational Controls 2 (“SOC 2”) audits and opinions that the exchange has met, and better yet, exceeded, standards.[40]  Crypto exchanges, as well as others, can learn a lot from conducting regular SOC 2 audits to strengthen cybersecurity and custody practices.

Secure systems and operational controls are critical throughout the crypto industry.  In reviewing applications before the CFTC, I will be scrutinizing systems and operational controls at registrant applicants, and any of their affiliates that may perform services or have other connections or cause contagion risk (which may require additional regulatory authority from Congress).

Seven proactive steps for the digital asset industry to take in order to begin regaining trust (steps that will also protect customers and promote market integrity).

If the digital asset industry wants to regain any amount of public trust, it has some work to do.  It must repair and earn public trust.  The way to do that is to follow the same good governance and customer protections that traditional finance should employ.

  1. Establish good corporate governance: Crypto exchanges, brokers and others should adopt good corporate governance.  This includes maintaining accurate books and records, cash management systems, and effective internal controls.  The companies should hire experienced personnel in financial management.  Compliance with anti-money laundering, Know-Your-Customer, and sanction rules are foundational.
  2. Independent check on management and audited financial statements:  There should be an independent check on management, such as a board of directors with independent directors.  Financial statements should be audited by an independent, reputable firm.
  3. Increase the roles of gatekeepers (lawyers, accountants, compliance professionals), and those gatekeepers should step it up.  Lawyers, accountants, and compliance professionals should have an independent voice and the ability to escalate concerns to senior-most management and independent boards.  Gatekeepers in risk, compliance, and legal must be given adequate resources, authority, and visibility.  Gatekeepers themselves must have the courage of their convictions to do the right thing.
  4. Ban commingling of customer assets with company assets: Crypto exchanges and brokers should ban commingling customer assets with company assets, including the use of omnibus accounts and wallets.
  5. Resolve conflicts of interest between affiliates: The crypto industry should resolve conflicts of interest between affiliates.  In addition to legal separation, there should be a separation in personnel and systems (including significant limitations on dual-hatted executives and systems).  Transactions involving insiders or affiliates should be timely reported, independently reviewed and approved, and accurately recorded.
  6. Better, clear disclosures to inform customers about their rights and risks: Customers should not have to wait until a bankruptcy to learn their rights.  Companies should deliver disclosures in a way that effectively informs customers about their rights and risks.
  7. Strengthen cybersecurity: The crypto industry has a number of unique vulnerabilities that present significant risks to customer funds and market integrity.  With cyber hacks at an all-time high, crypto companies should strengthen cybersecurity.  This includes establishing strong systems and operational controls as part of cyber resilience frameworks.  Companies should regularly have independent auditing of compliance with (even better to exceed) SOC 2 standards, and at a minimum, limit access to customer accounts and private keys, including to prevent the unauthorized transfer of assets.

This is not meant to be an exhaustive list but a basic foundation for repairing trust, while protecting customers and markets.

Future Cryptocurrency Legislation

Given the mainstream adoption of cryptocurrency by retail customers, I support Congress enacting a comprehensive statutory framework throughout the federal government that would require customer protections, instill market integrity, close regulatory gaps, and reduce regulatory arbitrage.  For any legislation, I have advocated with Congress and continue to advocate for, among other customer protections and market integrity guardrails, the following:

  • Complete ban on commingling customer assets with company assets;
  • Resolution of conflicts of interest with respect to insiders and affiliated entities;
  • Broad application of the Bank Secrecy Act (including its Anti-Money Laundering provisions)
  • Strong cybersecurity requirements;
  • Broker fiduciary duties to customers;
  • Clear, plain-English disclosures to customers, delivered in a manner that effectively informs customers of their rights and risks; and
  • Appropriate regulation of decentralized finance.

Although some of these were included in legislation introduced in the last Congress, it is sensible to take a step back in light of the FTX collapse (and earlier collapses), and recent enforcement actions, to incorporate lessons learned and ensure that any future legislation adequately protects customers and market integrity. 

Any bill related to the CFTC could greatly benefit from strong CFTC oversight tools.  This includes: (1) greater authority to stop digital asset products from listing on an exchange by not permitting crypto exchanges to self-certify products; (2) requiring crypto exchanges and other new registrants to use an independent self-regulatory organization; and (3) authorizing CFTC access to information about unregulated affiliates of a crypto registrant where necessary for the CFTC to fulfill its supervisory responsibilities.[41]

The CFTC’s Current Self-Certification Process Does Not Provide the CFTC Sufficient Oversight Over Exchanges Listing Cryptocurrencies

I urge Congress to avoid permitting newly-regulated crypto exchanges to self-certify products for listing, under the current process that limits CFTC oversight.[42]  Futures exchanges, who in many cases, have been in operation and performing regulatory functions for decades, currently self-certify digital asset futures.  As Congress considers an appropriate comprehensive framework for spot digital commodities, I urge it to avoid self-certification for the following three primary reasons:

  1. A new and different type of market requires greater CFTC oversight:  A newly regulated market would need and benefit from greater CFTC oversight.  Moreover, spot exchanges are different from futures exchanges.  Futures exchanges compete on the basis of proprietary futures contracts, which are traded on the listing exchange alone.  Self-certification is not a process that makes sense for listings in the spot crypto markets, where tokens may trade peer-to-peer and/or in dozens of venues all over the world; and are controlled by private issuers.
  2. Concerns about a spot exchange’s ability to certify that the digital asset is not readily susceptible to market manipulation: It could be a challenge for a spot exchange to know all of the facts to be able to certify whether that cryptocurrency is readily susceptible to manipulation, particularly for thinly traded digital assets distributed globally.  Even if the digital asset is bitcoin, the pricing reference for bitcoin is still an issue.  Bitcoin is transacted on a peer-to-peer basis, over-the-counter through brokers, and through many different global exchanges.  If the exchange wants to list its own cryptocurrency, the exchange itself could manipulate it, presenting a conflict of interest.[43]
  3. Oversight is necessary to prevent abuse of the self-certification for regulatory arbitrage.  It is critical to institute guardrails against regulatory arbitrage and that includes prohibiting the use of the self-certification process.  Given that many digital assets are likely to qualify as securities under the securities laws, including under Howey test, while other digital assets are likely to qualify as commodities, there is a risk of an exchange engaging in regulatory arbitrage by self-certifying and then listing digital assets that are securities, not just digital commodities under the CFTC’s jurisdiction.

Alternatives to the self-certification process:  I am open-minded and interested in hearing from the public about appropriate alternatives that Congress could consider, including hybrid approaches where the exchange self-certifies to certain things but not others.[44]  However, I would urge Congress to ensure that any approach chosen have significant CFTC oversight and address these concerns.

An Independent Self-Regulatory Organization

Should Congress statutorily recognize a regulated digital commodity spot market, I would urge it to require spot exchanges to use an independent self-regulatory organization.  Digital asset spot exchanges should not serve as their own SROs.  The SRO function would be a new function for these exchanges.  An independent SRO would avoid certain conflicts of interest and bring consistency across exchanges.  It would be an important bulwark to ensure that exchanges have the corporate governance, personnel, systems and controls required of a regulated market holding assets for U.S. customers

CFTC Access to Information on Registrants' Affiliates

On November 30, 2022 publicly, and internally for months prior, I proposed that the CFTC conduct heightened supervision of CFTC-registered crypto exchanges,[45] saying:

Heightened supervision would also include heightened focus on conflicts of interest and contagion threats, particularly from unregulated affiliates.  The Commission should explore the full measure of existing authorities in all areas related to crypto, including unregulated affiliates.  We should be able to demand information, perform risk-based reviews, and limit risks, as necessary related to unregulated affiliates where there are inter-affiliate contagion risk and/or conflicts of interest.  To the extent that the CFTC is limited in its access to affiliate information, the Commission should explore all options to increase access.

FTX’s dealings with its affiliates in an unregulated market highlight the substantial harm that can result from unresolved conflicts of interest.  The CFTC may be constrained in its access to information about affiliates that would have significant bearing on assessment of risk and on supervisory decisions that should be made.  The CFTC would benefit from greater authority to access certain information on unregulated affiliates of regulated exchanges, with appropriate conditions.

Conclusion

In conclusion, after FTX’s bankruptcy, the crypto industry is at an inflection point when it comes to public trust.  While I continue to advocate for comprehensive legislation that will protect customers and the market, the crypto industry should not wait for legislation before taking the foundational steps I have laid out in order to regain some measure of trust.  A legislative framework that stands the test of time will take time, especially if a whole-of-government is taken as I have publicly supported.  Until then, there is much the industry can take upon itself, and it should.  If done right, in a way that is truly deserving of public trust, customers will be better protected and markets will have greater integrity.


[1] As the Special Inspector General of TARP (“SIGTARP”) for the last decade from 2012 to 2022, I assisted in rebuilding a stronger financial system to help restore public trust.  I reported on the causes of the financial crisis, testified before Congress on capital, Too Big to Fail, financial stability, and other crisis-related issues, investigated and partnered with the Department of Justice (“DOJ”) to prosecute bankers, brokers and other white collar criminal defendants, and brought civil prosecutions with DOJ, the Securities and Exchange Commission, the Consumer Financial Protection Bureau, and state attorneys general, against most of the largest banks and brokers.

[2] Dependence on centralized exchanges for security may be misplaced given the series of major security and trust breaches, beginning with Mt. Gox in 2011.

[3] West Realm Shires Services Inc. dba “FTX US”, Crypto. FTX. You in? (2021), available at Tom Brady Crypto Commercial for FTX Exchange | Cryptocurrency Commercial - YouTube.

[4] See “Declaration of Edgar W. Mosely in Support of Chapter 11 Petitions and First Day Pleadings,” In re FTX Trading, Ltd, et al., (Del. Bankr. Ct. Nov. 20, 2022).

[5] See U.S. House Committee on Financial Services, Hybrid Hearing Entitled: Investigating the Collapse of FTX, Part I (Dec. 13, 2022), available at https://financialservices.house.gov/calendar/eventsingle.aspx?EventID=408483.

[6] A. Fisher, Sam Bankman-Fried Has a Savior Complex—And Maybe You Should Too, Sequoia Capital Spotlight (Sept. 22, 2022), available at https://web.archive.org/web/20221027181005/https://www.sequoiacap.com/article/sam-bankman-fried-spotlight/.

[7] Crypto.com, Fortune Favors the Brave (2021), available at Crypto.com Commercial Super Bowl 2021/2022 - YouTube.

[8] West Realm Shires Services Inc. dba “FTX US”, Don’t Be Like Larry:  Don’t Miss Out on Crypto, NFTs, the Next Big Thing (2022), available at FTX Super Bowl Don't miss out with Larry David - YouTube.

[9] @BrettHarrison88, Twitter (Mar. 14, 2022, 1:10 PM), FTX US user growth continues apace 🔥, available at https://twitter.com/BrettHarrison88/status/1503418328488030208?s=20&t=RFsEUBi5jHSpRbTvaiggug.  Given all that has been revealed about FTX as part of the bankruptcy, it is unclear if these numbers are accurate and supported.  The graph is included as part of FTX’s messaging.  Limitations on permitted crypto trading in the United States appear to have limited U.S. customers.  CEO Ray testified before Congress, “The majority of the creditors trade through the .com silo and are outside of this jurisdiction, although there are some foreign customers that are on the U.S. silo, and vice versa.”  See U.S. House Committee on Financial Services, Hybrid Hearing Entitled: Investigating the Collapse of FTX, Part I (Dec. 13, 2022), available at https://financialservices.house.gov/calendar/eventsingle.aspx?EventID=408483.

[10] See CFTC Commissioner Christy Goldsmith Romero, Financial Stability Risks of Crypto Assets: Remarks before the International Swaps and Derivatives Association’s Crypto Forum 2022New York (Oct. 26, 2022) (“The Lack of Segregated Customer Assets: Segregation of customer assets from a company’s operating funds is a foundational customer protection in regulated entities that is not common for unregulated digital assets, nor is bankruptcy priority.  There is not enough awareness or attention on this critical area where customer protections dovetail with financial stability risks.  Customers may be left in a musical chairs’ dilemma.  This increases run risk at the first sign of a company’s or counterparty’s weakness.  In my conversations with Congressional members, their staff, and market participants, I remain focused on the need to segregate customer assets for purposes of financial stability and customer protection.”).

[11] ”Testimony of Mr. John J. Ray III, Chief Executive Officer, FTX Debtors,” U.S. House Committee on Financial Services (Dec. 13, 2022), available at HHRG-117-BA00-Wstate-RayJ-20221213.pdf (house.gov).

[12] See CFTC Commissioner Christy Goldsmith Romero, Protecting Against Emerging Global Fintech Threats in Cyberspaace and Cryptocurrencies: Remarks of Commissioner Christy Goldsmith Romero at the Futures Industry Association, Asia Derivatives Conference, Singapore | CFTC (Nov. 30, 2022) (citing the following: “Omnibus Accounts.  In order to more securely and effectively custody assets, Coinbase may use shared blockchain addresses, controlled by Coinbase, to hold Supported Digital Assets for Digital Asset Wallets on behalf of customers and/or held on behalf of Coinbase.  Although we maintain separate ledgers for users’ Coinbase Accounts and Coinbase accounts held by Coinbase for its own benefit, Coinbase shall have no obligation to create a segregated blockchain address for your Supported Digital Assets.  Coinbase, Coinbase User Agreement (last updated Nov. 10, 2022).  Omnibus Accounts.  In order to more securely and effectively custody assets, Payward may use shared blockchain addresses, controlled by Payward, to hold Digital Assets on behalf of users and/or held on behalf of Payward.  We maintain separate ledgers for users’ Kraken Accounts and Payward accounts held by Payward for its own benefit.  Kraken, Terms of Service (last updated Oct. 10, 2022)).

[13] “Memorandum Opinion and Order Regarding Ownership of Earn Account Assets,” In re Celsius Network, LLC, et al. (S.D.N.Y. Bankr. Jan. 4, 2023), available at IN RE CELSIUS NETWORK LLC | Case No. 22-10964... | 20230105500| Leagle.com.

[14] See Id, quoting Celsius’ user agreement, which said as follows: “[Y]ou grant Celsius . . . all right and title to such Eligible Digital Assets, including ownership rights, and the right, without further notice to you, to hold such Digital Assets in Celsius' own Virtual Wallet or elsewhere, and to pledge, re-pledge, hypothecate, rehypothecate, sell, lend, or otherwise transfer or use any amount of such Digital Assets, separately or together with other property, with all attendant rights of ownership, and for any period of time, and without retaining in Celsius' possession and/or control a like amount of Digital Assets or any other monies or assets, and to use or invest such Digital Assets in Celsius' full discretion.  You acknowledge that with respect to Digital Assets used by Celsius pursuant to this paragraph:1.  You will not be able to exercise rights of ownership . . . . 3.  In the event that Celsius becomes bankrupt, enters liquidation or is otherwise unable to repay its obligations, any Eligible Digital Assets used in the Earn Service or as collateral under the Borrow Service may not be recoverable, and you may not have any legal remedies or rights.

[15] ”Testimony of Mr. John J. Ray III, Chief Executive Officer, FTX Debtors,” U.S. House Committee on Financial Services (Dec. 13, 2022), available at HHRG-117-BA00-Wstate-RayJ-20221213.pdf (house.gov).

[16] See Id.

[17] See U.S. House Committee on Financial Services, Hybrid Hearing Entitled: Investigating the Collapse of FTX, Part I (Dec. 13, 2022), available at https://financialservices.house.gov/calendar/eventsingle.aspx?EventID=408483;  See also “Declaration of John J. Ray in Support of Chapter 11 Petitions and First Day Pleadings, In re FTX Trading, Ltd, et al, (Del. Bankr. Ct. Nov. 17, 2022) (“Many of the companies in the FTX Group, especially those organized in Antigua and the Bahamas, did not have appropriate corporate governance. I understand that many entities, for example, never had board meetings.”).

[18] See U.S. House Committee on Financial Services, Hybrid Hearing Entitled: Investigating the Collapse of FTX, Part I (Dec. 13, 2022), available at https://financialservices.house.gov/calendar/eventsingle.aspx?EventID=408483.

[19] See Id.

[20] Declaration of John J. Ray in Support of Chapter 11 Petitions and First Day Pleadings, In re FTX Trading, Ltd, et al, (Del. Bankr. Ct. Nov. 17, 2022).

[21] See Id.

[22] See U.S. House Committee on Financial Services, Hybrid Hearing Entitled: Investigating the Collapse of FTX, Part I (Dec. 13, 2022), available at https://financialservices.house.gov/calendar/eventsingle.aspx?EventID=408483.

[23] I note that LedgerX, LLC (d/b/a FTX US Derivatives), a digital currency futures and options exchange and clearinghouse that is regulated by the CFTC, did not file for bankruptcy, as the debtor deemed it solvent.

[24] Motion of Debtors for Entry of Interim and Final Orders (I) Authorizing the Debtors to Operate a Post-Petition Cash Management System . . . .,” In re FTX Trading, Ltd, et al, (Del. Bankr. Ct. Nov. 19, 2022).

[25] See U.S. House Committee on Financial Services, Hybrid Hearing Entitled: Investigating the Collapse of FTX, Part I (Dec. 13, 2022), available at https://financialservices.house.gov/calendar/eventsingle.aspx?EventID=408483.

[26] Id.

[27] See K. Clark, The Rise Before the Fall, The Information (Nov. 11, 2022), available at https://www.theinformation.com/articles/ftxs-vc-backers-that-lost-the-mostSee also R. Goswami, FTX’s venture backers included Patriots owner Robert Kraft and billionaire Paul Tudor Jones, new filings show, CNBC (Jan. 10, 2023), available at FTX investors included Robert Kraft, Paul Tudor Jones: new filings (cnbc.com) (providing a more granular breakdown of FTX fundraising).

[28] See Id.; See also Forbes, C. Peterson-Withorn, Exclusive: These Investors Stand to Lose the Most from the Crypto Exchange’s Implosion,” Forbes (Nov. 10, 2022), available at Exclusive: These FTX Investors Stand To Lose The Most From The Crypto Exchange’s Implosion (forbes.com).

[29] See Id.

[30] See Id.

[31] See Id.

[33] Data as reported in H. Miller, Crypto Startup Funding Falls to Lowest Level in Almost Two Years, Bloomberg (Jan. 9, 2023), available at Crypto Startup Funding Falls to Lowest Level in Almost Two Years - Bloomberg.

[34] See Id.

[35] See Id.

[37] See “Declaration of John J. Ray in Support of Chapter 11 Petitions and First Day Pleadings, In re FTX Trading, Ltd, et al., (Del. Bankr. Ct. Nov. 17, 2022)

[38] See Id.

[39] “Motion of Debtors for Entry of an Order Authorizing the Debtors’ Assumption of, and Entry into, the Custodial Services Agreements,” In re FTX Trading, Ltd, et al, (Del. Bankr. Ct. Nov. 23, 2022).

[40] Created by the Association of International Certified Professional Accountants (“AICPA”), a “SOC 2 examination is a report on controls at a service organization relevant to security, availability, processing integrity, confidentiality, or privacy.  SOC 2 reports are intended to meet the needs of a broad range of users that need detailed information and assurance about the controls at a service organization relevant to security, availability, and processing integrity of the systems the service organization uses to process users’ data and the confidentiality and privacy of the information processed by those systems.”  See AICPA, SOC 2 (last visited Jan. 18, 2023), available at SOC 2® | AICPA.

[41] As a former Inspector General (“IG”), I understand the critical value of oversight.  As an IG who investigated white collar crime, I understand the critical value of oversight to combat market manipulation.  I served as the Special Inspector General of TARP at Treasury from 2012 to 2022 after being nominated by President Obama and unanimously confirmed by the Senate.

[42] The Commodity Futures Modernization Act of 2000 created a self-certification process for CFTC-regulated exchanges that are, or use, self-regulatory organizations (“SROs”) to list new products without having to seek Commission approval for each contract.  A registered exchange is required to give only 24 hours’ notice to the Commission after self-certifying that the contract (product) complies with applicable law.  The CFTC can stop the initial listing only when the Commodity Exchange Act (“CEA”) or CFTC regulations may be violated—which could prove difficult to determine in 24 hours.

[43] Because of the risk of market manipulation in digital assets, I also have significant concerns about continuing self-certification for digital asset futures without Congress providing the Commission additional oversight authority to stop the listing.  Historically, the self-certification process for digital asset futures has relied heavily on exchanges voluntarily following CFTC staff guidance, including obtaining information sharing agreements with spot markets.  See CFTC Division of Market Oversight, CFTC Division of Clearing and Risk, Advisory with respect to Virtual Currency Derivative Product Listings, CFTC Staff Advisory No. 18-14 (May 21, 2018), available at 18-14 (cftc.gov).  However, it is not mandatory.  Further, even with information sharing, the futures exchange may not have access to all of the facts relevant to certify that the spot market reference price is not readily susceptible to manipulation.  Just think, for example, if there were a futures contract that referenced FTX’s proprietary FTT token (which there was not).  Additionally, conflict-of-interest concerns are present if the futures exchange also owns the spot exchange.  The CFTC has already alleged fraud in this area against Gemini for misrepresentations about this core principle related to the bitcoin futures contract self-certified by Cboe in 2017, which settled to the Gemini Exchange Bitcoin Auction Price.  See CFTC, CFTC Charges Gemini Trust Company for Making Material False or Misleading Statements and Omissions to the Commission, Release No. 8540-22 (June 2, 2022).

[44] If the Commission were to approve digital assets for listing, I am cognizant that we would need to make timely decisions and that there would be a resource challenge.  Currently, if an exchange opts to seek Commission approval, the Commission would have up to 90 days for a decision.  I am also cognizant of a fear that the Commission would be endorsing the digital asset.  I believe that fear can be sufficiently managed by the Commission being clear that approval would be limited to allowing the listing of the contract and would not be an endorsement of the digital asset.

-CFTC-