Bridging the Week by Gary DeWaal


Bridging the Week by Gary DeWaal: September 18 to 22 and September 25, 2017 (My Affiliate’s Keeper?; CFTC Flexes Cryptocurrency Muscle; Can SEC Keep a Secret?)

Bridging the Week    Compliance Weeds    My View    Trade Practices (including Disruptive Trading)    AML and Bribery    Registration    Cybersecurity    Bitcoin Ecosystem    Position and Trade Reporting    Supervision    Legal Weeds    APAC Regulation (sans Capital and Liquidity)    Fraud and Anti-Fraud   
Published Date: September 24, 2017

Last week, the Commodity Futures Trading Commission required a futures commission merchant to pay a fine of US $2.5 million to resolve charges it failed to supervise a response to a CME Group investigation when the FCM relied on an affiliate’s analysis of the affiliate’s own block trades – and the analysis turned out to be misleading. Separately, the FCM's affiliate agreed to pay an additional fine of US $2.5 Million in connection with an investigation by the US Attorney's Office for the Western District of North Carolina for trading ahead of customers in connection with block trades. Also, the CFTC dramatically expanded its footprint in the oversight of cryptocurrencies when it brought an enforcement action against two persons in connection with an alleged Ponzi scheme involving Bitcoin. Importantly, the CFTC's complaint included no allegations regarding futures or swaps. As a result, the following matters are covered in this week’s edition of Bridging the Week:

Video Version:

Article Version:

Briefly:

Separately, BANA agreed to pay an additional fine of US $2.5 million to resolve an investigation brought by the US Attorney's Office for the Western District of North Carolina for engaging in impermissible pre-hedging activity in connection with block trades. According to a settlement agreed to by BANA, during the relevant time, on occasion, some BANA traders would secretly listen to telephone calls by other BANA traders with customers regarding block trades, and pre-hedge those transactions prior to the block trades being consummated  At the time, pre-hedging of block trades was not permitted on CME Group exchanges until after a block trade was executed. (Click here for sample CME Group Market Regulation Advisory Notice regarding Rule 526 dated January 6, 2015; see Q/A 10.)

According to the CFTC, in response to various inquiries by CME Market Regulation whether certain BANA personnel traded futures on CME Group’s Globex electronic trading platform in advance of executing corresponding block trades, Merrill’s legal and compliance staff (“L&C Staff”) relied on BANA’s business operations support group (“the Support Group”) to assemble relevant information and to communicate with relevant BANA traders, as necessary. CME Market Regulation’s inquiries were conducted from February 2008 through December 2010.

In response, said the CFTC, the Support Group – which did not report to Merrill’s or BANA’s L&C Staff – provided Merrill’s L&C Staff an analysis of the relevant trading that omitted showing “that on a number of occasions, certain [BANA] Swaps Desk traders traded substantial volumes of futures contracts on Globex in the five minute window before the recorded execution time of a block trade in that same futures contract.” BANA’s Support Group knew this information but kept it from Merrill’s L&C Staff.

Moreover, claimed the CFTC, BANA’s traders did not admit to trading ahead during interviews conducted by CME Market Regulation staff during November 2010. Consistent with this testimony, outside counsel for Merrill also wrote to CME Market Regulation in December 2010 “in reliance on the traders’ representations” that BANA’s traders “did not have advance knowledge of a block trade such as to enable them to engage in any trading prior to the execution of the block.” BANA withdrew this letter in May 2013.

The CFTC charged that Merrill’s L&C Staff’s reliance on BANA’s Support Group without more closely monitoring its work contributed to the firm’s inability to detect the purported trading ahead before BANA’s traders provided misleading information to CME Market Regulation. The CFTC charged that Merrill’s L&C Staff’s “minimal oversight” over the Support Group and failure “to stay adequately informed” of the Support Group’s findings constituted a failure to supervise its employees and agents in violation of CFTC requirements (click here to access CFTC Regulation 166.3).

The CFTC also charged as a failure to supervise that, from at least January 2010 through October 2010, Merrill had “inadequate procedures” regarding, among other matters, who was responsible for the preparation and maintenance of records related to block trades and how employees should record the execution time of a block trade. The Commission additionally alleged that, from at least January 2010 through June 2012, Merrill did not always record a correct execution time in connection with block trades on relevant trade tickets. This, said the Commission, constituted a violation of the CFTC’s recordkeeping requirements. (Click here to access current CFTC Regulation 1.31 and here for CFTC Regulation 1.35; these regulations were amended earlier this year, but did not materially impact obligations of FCMs related to block trades.)

In addition to agreeing to pay a fine, Merrill consented to have audits conducted at certain prescribed intervals during the next five years regarding certain elements of its handling of block trades. Merrill did not admit or deny any findings or conclusions published by the CFTC in agreeing to its settlement. BANA also agreed to various undertakings to resolve the US Attorney's Office's investigation; it agreed to all facts in its settlement order.

Both the CBOT and CME brought disciplinary actions against Merrill during October 2013 for failure to supervise; making a verbal or material misstatement to it; and not preparing accurate records regarding, and timely reporting, block trades, as required (click here to access the relevant CBOT Notice of Disciplinary Action and here to access the relevant CME notice). The facts underlying the CME Group disciplinary actions appear materially the same as those behind the CFTC’s action. Merrill agreed to pay an aggregate fine of US $250,000 to settle the CME Group disciplinary actions.

Bank of America Corporation ("BoA") owns both Merrill and BANA, although it did not completely acquire Merrill until January 1, 2009, after the initiation of CME Market Regulation's inquiries regarding BANA's block trades. BoA originally announced its intention to purchase Merrill during September 2008.

Compliance Weeds: Prior to November 8, 2016, all persons trading on CME Group exchanges were prohibited from engaging in pre-hedging transactions after receiving a counterparty order for a futures block trade until after such block trade was executed. Now, pre-hedging/anticipatory hedging is permitted on CME Group as well as other exchanges under certain circumstances, except when an intermediary takes the opposite side of its own customer order. (Click here for background in the FIA PowerPoint presentation entitled “Exchange Amendments to Block Trade Pre-Hedging Rules" dated November 21, 2016 by CME Group, ICE Futures U.S. and NASDAQ Futures. Click here for further background in the article “Pre-Hedging by Principals Authorized in Block Trade Clarification Implemented by IFUS and Adopted by CME Group” in the October 30, 2016 edition of Bridging the Week.)

My View: Although BANA admitted to impermissibly pre-hedging block trades and agreed to material sanctions for that offense, an important fall-out of Merrill's CFTC settlement order is the suggestion that registrants have an affirmative obligation of some kind to ensure that information and analysis they obtain from accountholders is accurate prior to passing it along to regulators even when they have no notice that such information may be inaccurate.

Here, as best as can be surmised from the limited facts set forth in the “Commission’s Order Instituting Proceedings, Making Findings, and Imposing Remedial Sanctions,” Merrill, in connection with a CME Group investigation, relied on an affiliated company (BANA)’s staff to obtain information about BANA’s activities. This is not uncommon within group structures. Likewise, it is not uncommon for registrants to make requests to customers, including affiliated companies, for information requested by regulators and pass along the information to the regulators without substantively testing the accuracy of the production.

There is no suggestion in the settlement order that Merrill somehow directly or indirectly oversaw or was responsible for BANA's swaps desk. Indeed the settlement order makes clear that BANA's Support Group acted fully independently of Merrill's L&C Staff. Moreover BANA's settlement did not suggest any role in its improprieties by Merrill.

According to the CFTC, the bad fact here is that BANA’s personnel allegedly provided Merrill with misleading information, which Merrill’s L&C Staff, and apparently outside counsel for Merrill, relied on – although there was no suggestion they relied on the information in bad faith. As a result, charged the CFTC, Merrill did not detect its affiliate’s possible wrongful conduct and somehow contributed to BANA’s traders providing purportedly misleading testimony to CME Group’s Market Regulation staff during interviews. This, claimed the CFTC, constituted a “failure to supervise” by Merrill of its employees and agents.

The relevant CFTC rule requires Commission registrants effectively to diligently supervise the handling “by its partners, officers, employees and agents…of all commodity interest accounts… and all other activities [of such persons]… relating to its business as a Commission registrant.” However, it is not clear from the settlement precisely what and whom Merrill failed to supervise.

When an affiliate or a third-party customer provides information or analysis to a registrant in response to a regulatory inquiry, it’s not the registrant’s fault if the information is false – absent knowledge by the registrant, or information that arguably suggests that the registrant should have known of the falsehood. Moreover, when a third-party customer or even an affiliate produces information to a registrant for ultimate production to a regulator, the accountholder is acting as principal and the registrant is acting as agent, not the other way around. The Merrill settlement seems to have gotten common sense and relationships wrong: this is not a circumstance of failure to supervise by a registrant; this is a circumstance of an accountholder – as principal – not necessarily telling the truth. Merrill – as far as it seems from the settlement order – was acting solely as an agent in serving as a conduit for information from BANA to CME Market Regulation.

Moreover, it is not clear why the CFTC chose to include in the settlement order a reference to the letter by outside counsel to CME Market Regulation. Apparently, outside counsel may also have been misled by BANA, Merrill’s principal. However, it is unclear how the counsel’s actions contributed (if at all) to Merrill’s failure to supervise charge.

The CFTC can now rely on an express provision of law to prosecute persons that make any false or misleading statement of a misleading material fact to it provided "the person knew, or reasonably should have known, the statement to be false or misleading." (Click here to access Commodity Exchange Act Section 6(c)(2), 7 U.S.C. §9(2).) The CFTC contorts the scope of this law unfairly in this matter.

Going forward, it appears that, when investigating potential wrongdoing by an accountholder, registrants may continue to rely on the accountholder for information. However, registrants may now be expected by the CFTC under their duty of supervision to at least somehow independently assess the reliability of the information – particularly analyses performed by persons that may not be truly independent of a potential wrongdoer – even when a registrant has no reason to think the information may be false or misleading. This may not be practical and seems contrary to the spirit of CEA Section 6(c)(2). Registrants may be required to know their customers, but they cannot be guarantors of their credibility.

Note: This article was amended by 7:30 am on September 25 after initial publication to include information related to the US Attorney's Office investigation and BANA's settlement.

According to the CFTC’s complaint filed in a federal court in New York City, from at least January 2014 through at least January 2016, the defendants solicited approximately US $600,000 from at least 80 customers to trade Bitcoin in a pooled fund using a proprietary algorithm called “Jigsaw.” However, charged the CFTC, the defendants misappropriated most of this money for their own use and rarely traded for customers. The defendants furthered their alleged fraud, claimed the CFTC, by making false and misleading statements to potential and actual investors by, among other things, overstating customers’ balances, falsely representing trading performance and activity, and falsely representing past performance. The CFTC seeks a permanent injunction against the defendants, disgorgement and fines, as well as other relief.

Legal Weeds: This CFTC complaint has significant ramifications beyond its four corners. It represents a powerful statement by the Commission that it will exercise jurisdiction over cryptocurrencies when there is potential fraud – even if the fraud does not involve derivatives based on cryptocurrencies.

The genesis of this position is grounded in the Commodity Exchange Act – the law under which the CFTC derives its authority.

According to the CEA, a commodity is any of certain enumerated traditional commodities (e.g., wheat, cotton, corn) and “all other goods and articles” (emphasis added) except onions and motion picture box office receipts. In 2014, Timothy Massad, then chairman of the CFTC, declared that cryptocurrencies were commodities under the CEA, and the CFTC subsequently brought two enforcement actions against persons for engaging in activities requiring registration under the CEA without being registered. In July, the CFTC also approved the registration of LedgerX as a swap execution facility and derivatives clearing organization to handle fully collateralized swaps potentially settling in cryptocurrencies. (Click here for general background regarding these matters in the article “LedgerX Approved by CFTC as First Derivatives Clearing Organization for Fully Collateralized Swap Contracts Potentially Settling in Bitcoin” in the July 30, 2017 edition of Bridging the Week.)

The CFTC brought its current action under a relatively new provision of law (enacted as part of the Dodd-Frank Wall Street Reform and Consumer Protection Act) and Commission regulation that prohibits any person from using a manipulative or deceptive device or contrivance in connection with any “contract for sale of any commodity in interstate commerce” – not solely in connection with swaps or a commodity for future delivery on or subject to the rules of any registered entity. (Click here to access CEA Section 6(c)(1), 7 U.S.C. §9(1) and here for CFTC Rule 180.1(a).) The CFTC has previously employed these legal provisions in response to a wide variety of fact patterns from their first use in the JP Morgan “London Whale” episode to allegations of illegal off-exchange metals transactions, insider trading, claims of more traditional manipulation and attempted manipulation (without endeavoring to show an artificial price) and allegations of spoofing. (Click here for background in the article, "International Bank and Affiliates Settle Two CFTC Enforcement Actions for Alleged Benchmarks Manipulation" in the June 5, 2016 edition of Bridging the Week.)

The CFTC's willingness to use these provisions in response to a fact pattern related to a commodity only – Bitcoin –, and not to futures or swaps based on Bitcoin, is a powerful statement about its view of its own role in the cryptocurrency arena going forward.

(EDGAR is used by the SEC to collect submissions by companies and foreign governments required to periodically file certain information with it.)

The SEC noted, however, that it does not believe that the hacking resulted in the compromise of personally identifiable information. The SEC said that the hacking occurred through the test-filing component of the EDGAR system and was patched “promptly after discovery.”

Just last month, the SEC’s Office of Compliance Inspections and Examinations issued a report saying that while firms have “increased cybersecurity preparedness” since 2014, broker-dealers’, investment advisers’ and investment companies’ cybersecurity policies and procedures are not uniformly tailored to their business because they are too vague or general and are not always followed or enforced.

Moreover, the SEC has brought two enforcement actions against registrants for failing to comply with Regulation S-P over the past two years. Under this regulation, registered broker-dealers, investment advisers and investment companies must adopt written policies to help protect customer records and information. The rule addresses administrative, technical and physical safeguards regarding such information. (Click here for further information on the OCIE’s recent report and the SEC’s enforcement actions in the article “SEC Watchdog Finds Cybersecurity Policies Better But Not Always Enforced” in the August 13, 2017 edition of Bridging the Week.)

My View: In June 2016, the SEC’s Office of the Inspector General issued a report criticizing the agency’s handling of information security. Among other things, the OIG said that the SEC’s Office of Information Technology did not “effectively” monitor the risks of system authorizations. (Click here for further information in the article “SEC Inspector General Criticizes Agency’s Sensitive Information Security” in the June 19, 2016 edition of Bridging the Week.) Two month’s later, the SEC’s Inspector General announced that it issued a report to Congress related to the security of confidential personally identifiable information collected and retained by the Commission. However, because “this report contain[ed] sensitive information about the SEC’s security program,” the Inspector General declined to publicly release the report or even a high-level summary. This seemed odd at the time; it seems even odder under current circumstances. Perhaps at least some sanitized version of this report should be issued now. (Click here for background in the article “Don’t Ask, Don’t Tell: SEC Issues Secret Report on Its Cybersecurity” in the August 21, 2016 edition of Bridging the Week.) This is particularly important as the SEC continues to oversee the development of a single consolidated audit trail (known as “CAT”) to track all equities and options trading on US markets. The temptation to hack such a centralized and rich database might be very high for nefarious persons and, as a result, protections and governance around CAT must be exceptionally strong. (Click here for background in the article “SEC Seeks Views on Whether Proposal for Single Consolidated Audit Trail of All Equity and Equity Options Trading Is CAT’s Meow” in the May 1, 2016 edition of Bridging the Week.)

Compliance Weeds: Unfortunately, as I have frequently written previously, there are only two types of financial services firms: those that have experienced cybersecurity breaches and addressed them, and those that have experienced cybersecurity breaches and did not know. (I will now add government agencies to my frequent statement.) By this time, all financial service firms and government agencies—no matter what size—should have assessed or be in the process of assessing or reassessing the scope of their data (e.g., customer information, proprietary), potential cybersecurity risk, protective measures in place – including ongoing testing, consequences of a breach and cybersecurity governance (e.g., how would they react if a breach occurred) in order to evaluate their cybersecurity needs and develop a robust protective program. (Click here for a dated but still useful discussion of cybersecurity and a comprehensive checklist of practical measures in the June 24, 2015 Advisory entitled “Cyber-Attacks: Threats, Regulatory Reaction and Practical Proactive Measures to Help Avoid Risks” by Katten Muchin Rosenman LLP.) 

More briefly:

For further information:

Afghanistan and Lao PDR Removed From FATF’s AML/CFT Deficiency List:
https://www.fincen.gov/sites/default/files/advisory/2017-09-15/FinCEN%20FATF%20Advisory-FIN-2017-A005_0.pdf

CFTC Enhances Online Form 40 Portal:
http://www.cftc.gov/PressRoom/PressReleases/pr7612-17#PrRoWMBL

CFTC Files Charges Alleging Bitcoin Ponzi Scheme Not Involving Derivatives:
http://www.cftc.gov/idc/groups/public/@lrenforcementactions/documents/legalpleading/enfgelfmancomplaint09212017.pdf

ETRADE Securities HK Sanctioned for Referring Accounts to Non-HK-Registered Affiliate:
http://www.sfc.hk/edistributionWeb/gateway/EN/news-and-announcements/news/doc?refNo=17PR124

FCM Agrees to Pay US $2.5 Million CFTC Fine for Relying on Affiliate’s Purportedly Misleading Analysis of Block Trades for a CME Group Investigation:

SEC Discloses Trading May Have Occurred Based on Confidential Information Illicitly Obtained From Hack of EDGAR System in 2016:

Announcement:
https://www.sec.gov/news/press-release/2017-170
Statements:

The information in this article is for informational purposes only and is derived from sources believed to be reliable as of September 23, 2017. No representation or warranty is made regarding the accuracy of any statement or information in this article. Also, the information in this article is not intended as a substitute for legal counsel, and is not intended to create, and receipt of it does not constitute, a lawyer-client relationship. The impact of the law for any particular situation depends on a variety of factors; therefore, readers of this article should not act upon any information in the article without seeking professional legal counsel. Katten Muchin Rosenman LLP may represent one or more entities mentioned in this article. Quotations attributable to speeches are from published remarks and may not reflect statements actually made.


© 2017 Katten Muchin Rosenman. All Rights Reserved.