Blockchain & Cryptocurrency , Next-Generation Technologies & Secure Development , Standards, Regulations & Compliance
BlockFi to Pay SEC, State Regulators $100M in PenaltiesCrypto Platform Reaches Settlement Over Alleged Unregistered Securities
The U.S. Securities and Exchange Commission has confirmed that BlockFi, a cryptocurrency lending platform based in Jersey City, N.J., has been charged with failing to register its lending product and violating registration provisions. To settle the SEC's charges, it will pay a $50 million penalty, cease unregistered offers and sales of the product, and comply with the law within 60 days.
See Also: Mobile App Friction Report: Crypto Edition - Onboarding
In parallel actions announced on Monday, the platform agreed to pay an additional $50 million in fines to 32 states to settle similar charges. And according to SEC officials, BlockFi will also register a new crypto lending product.
The penalties are among the highest levied against a cryptocurrency platform. The settlement does not affect existing account holders.
BlockFi did not admit to or deny the SEC's and state charges, officials say, but agreed to a cease-and-desist order prohibiting it from violating related laws. It also agreed to cease offering or selling the lending product in the U.S.
'First Case of Its Kind'
"This is the first case of its kind with respect to crypto lending platforms," SEC Chair Gary Gensler said in a statement. "Today's settlement makes clear that crypto markets must comply with time-tested securities laws. … It further demonstrates the commission's willingness to work with crypto platforms to determine how they can come into compliance with those laws."
Gurbir S. Grewal, who heads the SEC's Division of Enforcement, added in the statement: "Crypto lending platforms offering securities like BlockFi's BIAs should take immediate notice of today's resolution and come into compliance with the federal securities laws. Adherence to our registration and disclosure requirements is critical to providing investors with the information and transparency they need to make well-informed investment decisions in the crypto asset space."
According to the SEC's order, BlockFi, between March 2019 and 2022, offered and sold BlockFi Interest Accounts, or BIAs, in exchange for a promise to provide a monthly interest payment. The order says that because BIAs are securities, BlockFi was required to register with the SEC, but failed to do so.
The SEC charged the platform with operating for more than 18 months as an unregistered investment company.
SEC officials also charged BlockFi with making "a false and misleading statement for more than two years on its website concerning the level of risk in its loan portfolio and lending activity."
On Monday, BlockFi CEO and founder Zac Prince told ISMG: "We have always known that strong engagement with regulators would be critical for the adoption of financial services powered by cryptocurrencies. Today's milestone is yet another example of our pioneering efforts in securing regulatory clarity for the broader industry and our clients."
Enforcement in NJ and Elsewhere
On the state-level action, New Jersey acting Attorney General Matthew J. Platkin on Monday confirmed that the platform had reached a related agreement with the state and others.
Of the total settlement, $50 million will be paid to the SEC, and up to $50 million will be divided equally among participating members of the North American Securities Administrators Association. New Jersey's share will be $943,396.
New Jersey's Bureau of Securities alleged that BlockFi had raised at least $14.7 billion worldwide through the sale of unregistered securities. The platform had more than 400,000 related account holders on Dec. 31, 2021, Platkin's office said Monday.
"Cryptocurrency-related investments may offer investors something new, but they must still follow the rules," Platkin said in a statement. "Today's action shows that companies providing digital asset financial products and services must comply with state and federal law."
The enforcement action comes at a time of regulatory uncertainty surrounding crypto assets, including both token trading and securing the platforms.
Blockchain security experts, while praising the immutable visibility of the public ledgers, have continued to say that many crypto platforms and startups do not offer robust cybersecurity controls.
In fact, some of the most significant cyberattacks in recent months have targeted cryptocurrency platforms, particularly those operating in the decentralized finance, or DeFi, space. DeFi does not depend on traditional financial intermediaries and instead is powered by peer-to-peer smart contracts across decentralized apps, or DApps, that typically run open-source software.
A hack in summer 2021 - by the now-infamous "Mr. White Hat" - struck the blockchain-powered platform Poly Network and drained the protocol of more than $600 million, although the hacker gradually returned the funds, perhaps over the inability to launder them (see: Poly Network Says $600 Million in Cryptocurrency Stolen).
Lawmakers including Sen. Elizabeth Warren, D-Mass., have been outspoken critics of crypto platforms, citing price volatility and unsecure DApps. Others, such as Gensler, have called the asset class "rife with fraud, scams and abuse."
Apparent Coinbase Bug?
In other news on the cryptocurrency front, a Twitter user and security hacker known as Tree of Alpha detected an alleged flaw that could have been exploited in Coinbase's advanced trading platform over the weekend (see: The Security Implications of Coinbase's Super Bowl Ad).
Coinbase, which spun up in 2012, is one of the largest cryptocurrency exchanges, serving more than 73 million users worldwide with $327 billion traded each quarter, according to its website.
After the researcher, aka Tree of Alpha, disclosed the findings to Coinbase, the cryptocurrency trading platform announced it had disabled retail trading abilities, deactivating new orders and allowing cancel-only mode, to investigate the findings. Coinbase, according to Tree of Alpha, was quick to issue a patch for the vulnerability. Tree of Alpha posted a photo of related technical details, adding that they would follow up at a later date with further analysis of the alleged vulnerability.
Advanced Trading is resumed, and I have verified that the exploit has been patched as recommended.— Tree of Alpha (@Tree_of_Alpha) February 12, 2022
Full thread on the vuln and how Coinbase's swift response avoided some serious company & market damage as soon as I'm allowed (hopefully next week).
Good weekend to all. pic.twitter.com/pguInKORwW
Coinbase CEO Brian Armstrong praised the anonymous hacker for the work, welcoming the collaboration.
.@Tree_of_Alpha you're awesome - a big thank you for working with our team— Brian Armstrong - barmstrong.eth (@brian_armstrong) February 11, 2022
love how the crypto community helps each other out!
Meanwhile, according to blockchain analytics firm Elliptic, nearly $11 billion was reportedly lost due to theft and fraud in crypto in 2021 - a 600% increase from 2020.