An international bank settled an enforcement action brought by the Commodity Futures Trading Commission for spoofing. However, in the process, the CFTC went out of its way to laud the bank for self-reporting the incident, as well as its cooperation in the CFTC’s investigation and voluntary efforts to enhance its internal processes to detect spoofing and train staff going forward. Separately, a UK-based financial institution was assessed a fine of the equivalent of approximately US $21.5 million by the Financial Conduct Authority for a cyber breach that detrimentally impacted some customers. Although the FCA acknowledged that the bank’s cybercrime framework was “appropriate,” it said that employees did not follow it. As a result, the following matters are covered in this week’s edition of Bridging the Weeks:
Typically, said the CFTC, a trader would place a small order for gold or silver futures on the Commodity Exchange, Inc. at or near the best price, followed by a larger order on the opposite side of the market away from the best price. The goal of the spoofing order was to suggest greater buying or selling interest, and to induce execution of the trader’s small order. If the trader was successful, the trader’s small order would be executed after which the trader would cancel the larger order, alleged the CFTC.
According to the CFTC, BNS was alerted to the potential spoofing trading of one its NY-based traders by its futures commission merchant. In response, BNS conducted an internal review, terminated the one trader, and self-reported the trading activity to the CFTC, including providing “thousands of documents,” other information and analysis. BNS also implemented an enhanced surveillance system, hired a full-time surveillance monitor, and augmented its spoofing training programs, said the CFTC.
In a press release issued by the CFTC in connection with publication of the relevant settlement order, James McDonald, CFTC Director of Enforcement, stated that BNS received a “substantially-reduced penalty” because of its self-reporting and cooperation.
Legal Weeds1: Last year, Mr. McDonald made clear that potential wrongdoers who voluntarily self-report their violations, fully cooperate in any subsequent CFTC investigation, and fix the cause of their wrongdoing to prevent a re-occurrence will receive “substantial benefits” in the form of significantly lesser sanctions in any enforcement proceeding and “in truly extraordinary circumstances,” no prosecution at all. (Click here for background in the article “New Math: Come Forward + Come Clean + Remediate = Substantial Settlement Benefits Says CFTC Enforcement Chief” in the October 1, 2017 edition of Bridging the Week.)
Since then, the CFTC Division of Enforcement has routinely reiterated this view in connection with settlements of enforcement actions where it acknowledged self-reporting and cooperation. This settlement is the latest example.
Legal Weeds2: I don't ordinarily cover traditional fraud cases in Bridging the Week as they don't typically provide insight into novel legal theories or important new lessons for legitimate industry participants. However, a recent victory by the CFTC in its enforcement action against Gregory L. Gramalegui is worth noting. In that case, the CFTC prevailed in a litigation against Mr. Gramalegui where it had charged violations of the anti-fraud provisions of relevant law and disclosure requirements of CFTC rules in connection with his solicitation of customers for a futures trading system and an advisory service, among other offenses. The federal court in Colorado hearing this matter found that the CFTC proved its allegations and assessed a fine against Mr. Gramalegui of US $1.9 million and ordered disgorgement.
Among its claims, the CFTC charged Mr. Gramalegui with making false statements to it in connection with a provision of law added as part of the Dodd-Frank Wall Street Reform and Consumer Protection Act in 2010. This provision renders it illegal for a person to make a false or misleading statement to the CFTC or omit material information to deceive the Commission, "if the person knew, or reasonably should have known, the statement was false or misleading" in connection with material facts. (Click here to access 7 U.S.C. § 9(2).)
According to the Court, "a statement is actionable under this section when it is either literally untrue or when it fails to include all information necessary to give the recipient a complete and accurate picture of the state of affairs communicated." Here the court found that the defendant violated this provision of law when he told the CFTC in connection with a deposition that he did not advertise for clients but that clients found him through Google and other search engines; he did not send out marketing emails between September 2014 and 2015; and he played no role in a statement on his website that "most traders have made enough on one trade to pay for the[ir] monthly subscription," as well as when he did not tell the CFTC that he communicated to customers other than through one identified email account and that he had altered the copy of his website prior to producing it to the CFTC, among other statements and misstatements. Each of these statements was false or misleading, said the court. Moreover, the court concluded that each of these misstatements and omissions was material and, accordingly, gave rise to a violation of the relevant provision of law.
Mom always said to tell the truth. The CFTC has tools to sanction persons for not following mom's advice. (Click here to access the court's full decision.)
According to the FCA, because of a design flaw in the debit cards, the attackers used an algorithm to generate authentic debit card numbers, and used these numbers to engage in thousands of unauthorized customer debit card transactions. After the cyber-attack began and was first detected early on Saturday, November 5, 2016, staff committed a number of errors which delayed fully stopping the cyber-attack and restoring normal debit card use by all customers until November 9. Among these errors was that, once the cyber-attack was discovered, the internal team responsible for helping to resolve the cyber-attack emailed a fraud strategy inbox as opposed to telephoning the internal fraud analyst, as required by procedures. This, claimed the FCA, delayed resolution by 21 hours as the email was not reviewed promptly over the weekend. Additionally, once the cause of the cyber-attack was recognized, a number of initial fixes were ineffective. However, because the first fix was not monitored, Tesco did not recognize until only after a “few hours” that the fix did not work and that fraudulent transactions were increasing.
Although the FCA acknowledged that Tesco’s cybercrime framework was “appropriate,” it said that relevant individuals did not follow it. According to FCA, “[Tesco’s] financial crime framework was clear and each body within the framework had an appropriate role and each body worked together to achieve the common purpose of mitigating the risk of cybercrime.” Unfortunately, said the FCA, a cybercrime framework “is only as good as the individuals who work within it.”
Ultimately, 8,261 current accounts were impacted by the cyber-attack. The bank reimbursed customers for direct losses and removed all pending debits, as well as refunded all fees, charges, and interest that had been charged.
The FCA indicated that it would have fined Tesco GB £23.5 million (US $30.9 million) but for Tesco’s “high level of cooperation” during the FCA’s investigation, immediate retention of a third-party consultant to review the incident, implementation of the consultant’s recommendations, and other mitigation measures.
Compliance Weeds: Last month, the Securities and Exchange Commission settled an enforcement action against Voya Financial Advisors, Inc. – a registered broker-dealer and investment adviser – related to purported deficiencies in the firm’s cybersecurity procedures that the SEC alleged contributed to a cyber intrusion and compromise of customers’ personal information. These deficiencies constituted violations of the SEC’s Safeguard and Identity Theft Red Flags rules. (Click here for background in the article “Broker-Dealer Resolves SEC Charges That Inadequate Cybersecurity Procedures Led to Cyber Intrusion, Compromising Customer Personal Information” in the September 30, 2018 edition of Bridging the Week.)
Voya agreed to pay a fine of US $1 million to resolve the SEC’s enforcement action.
Earlier this year, AMP Global Clearing LLC, a Commodity Futures Trading Commission-registered FCM, agreed to pay a fine of US $100,000 to resolve an enforcement action brought by the Commission claiming that it failed to supervise a third party’s implementation of “critical” provisions of its information system security program. As a result of this failure, said the Commission, AMP’s technology system was compromised by an unauthorized individual (Infiltrator) who impermissibly copied approximately 97,000 files, including many files that contained confidential personal information. (Click here for background in the article “CFTC Says Futures Brokerage Firm’s Failure to Supervise Led to Unauthorized Cyber-Attack” in the February 18, 2018 edition of Between Bridges.)
Both SEC and CFTC-registered entities should ensure they maintain a robust information system security program to minimize the likelihood of a cyber-attack as well as policies and procedures expressly designed to detect, prevent and mitigate identity theft in connection with the opening and maintenance of any covered account. This program must be appropriate in light of the size and complexity of the financial institution and nature and scope of its activities. A covered account includes an account for personal, family or household purposes that is intended to permit multiple payments or transactions. This includes a brokerage account or an account at an investment company. However, a covered account also includes any account at a financial institution “where there is a reasonable or foreseeable risk to customers or to the safety and soundness of the financial institution or creditor from identity theft, including financial, operational, compliance, reputation or litigation risks.”
All policies and procedures should be regularly reviewed and updated, as appropriate, and at least annual firm-wide training and ongoing evaluations of critical systems should be implemented. Firms should consider in advance how they would respond to different types and degrees of cyber-attacks. Periodic drills involving mock phishing episodes and cyber-attacks should also be considered to heighten employee readiness.
According to the FSB, today, crypto-asset ownership appears limited among a few market participants. This limits market depth and diminishes the ability of markets to handle large trading volumes. Moreover, noted the FSB, the value of crypto-assets is not derived from the value of underlying assets but from speculation. As a result, to date, the prices of crypto-assets have been “highly volatile.” Additionally, said the FSB, the distributed ledger technology underlying crypto-assets has “limited or no formal governance structure,” and may be subject to “technological errors and limitations.” Among other things, observed the FSB, “[d]ecentralisation and lack of or inadequate governance makes it difficult to resolve technological limitations or errors and may lead to uncertainty and ‘hard forks’ [in proof of work governance structures] by a subset of miners.”
The FSB expressed concern that if crypto-assets were more widely used, “negative developments involving crypto-assets could undermine confidence in certain aspects of the financial system and in financial regulators.”
The FSB indicated that, going forward, it will continue to monitor the risk of crypto-assets to financial stability on an “ongoing basis.” Established in 2009, the FSB is an international organization comprising representatives of national authorities responsible for financial stability in material international financial centers that monitors and makes recommendations about the global financial system.
Among other developments these past two weeks involving crypto-assets:
My View: The crypto-asset market is very small today compared to other financial assets. According to the FSB, the market capitalization of crypto-assets peaked on January 8, 2018, at an estimated US $830 billion, 35 percent of which was attributable to bitcoin. As of October 4, market capitalization had declined to approximately US $210 billion. This represented .9 percent of the market capitalization of the S&P 500 on that date, and 2.8 percent of the global value of gold.
Views on the potential benefits of distributed ledger technology and associated crypto-assets are widely divergent. Last week Nouriel Roubini, Professor of Economics at the Stern School of Business, New York University, testified before the US Senate Committee on Banking, Housing and Community Affairs that “[b]itcoin and other cryptocurrencies represent the mother of all bubbles” and that “blockchain is the most over-hyped – and least useful – technology in human history.” Alternatively, Peter Van Valkenburgh, Director of Research at Coin Center, argued before the same subcommittee that “the benefits of [blockchain] technology are real.” He said that digital cash offers “efficiencies that existing electronic transmission cannot,” digital identity “may solve many of our online security woes,” and the internet of things “may spur greater security, competition, and an end to walled gardens of non-interoperability for connected devices.”
We are less than 10 years from the mining of the first 50 genesis bitcoins. Today the hype of distributed ledger technology and crypto-assets is likely far louder than the number of effective use cases. However, it is hard to imagine that elements of DLT – application of strong cryptography to support blockchains, transactions validated by a consensus protocol designed to be trustless, the capability to transmit and access a store of value anywhere and anytime, and the ability to code technology to self-execute contractual terms – are not important innovations that will continue to be developed and advanced. No one can predict whether any crypto-asset or specific blockchain existent today will survive tomorrow or even be around in today’s form. However, DLT and crypto-assets of some kind are likely to be with us for a long time.
For further information:
CBOE Futures Exchange Amends and Reissues Guidance on ECRPs:
CFTC Proposes to Amend Rules to Track Previously Granted No-Action Registration Relief for CTAs and CPOs; Issues Cross-Border Swaps Reform White Paper:
CME Group Exchanges Sanction Three Traders for Wash Sales, One for Spoofing:
Interdealer Broker, CEO and Senior Manager Named in CFTC Enforcement Action for Communicating Fake Bids, Offers and Executions in FX Options Market; Board Chairman Settles Related Supervisory Charges:
International Financial Regulator Coordinator Says Crypto-Assets Currently Pose No Threat to Financial:
Options Trader Who Settled Related Criminal Charges Resolves CFTC Enforcement Action for Trading Futures Options to Disguise Trading Losses:
SEC Seeks More Views on Proposal for Security-Based Swap Dealers’ Capital, Margin and Segregation Requirements:
Self-Reporting and Cooperation of Non-US-Based Bank Acknowledged by CFTC in Agreeing to US $800,000 Fine for Spoofing by Traders:
UK Bank Fined GB £16.4 Million Related to Cyber-Attack Because of Employee Breakdowns:
The information in this article is for informational purposes only and is derived from sources believed to be reliable as of October 13, 2018. No representation or warranty is made regarding the accuracy of any statement or information in this article. Also, the information in this article is not intended as a substitute for legal counsel, and is not intended to create, and receipt of it does not constitute, a lawyer-client relationship. The impact of the law for any particular situation depends on a variety of factors; therefore, readers of this article should not act upon any information in the article without seeking professional legal counsel. Katten Muchin Rosenman LLP may represent one or more entities mentioned in this article. Quotations attributable to speeches are from published remarks and may not reflect statements actually made. Views of the author may not necessarily reflect views of Katten Muchin or any of its partners or other employees.