Speech of Commissioner Kristin N. Johnson: Beyond Policing for Fraud: Post-Crisis Crypto-Corporate Governance Reforms
Blockchain Association Policy Summit
November 30, 2023
Remarks as Prepared
Good afternoon. Thank you, for your gracious and warm welcome.
It’s a pleasure to join you today for the Blockchain Association’s Policy Summit.
I am especially thankful to Kristin Smith for the generous invitation to contribute to this impactful discourse among regulators, members of Congress, market participants, and consumer advocates. I am pleased to be among the distinguished speakers sharing thoughts with you today. Before I begin, standard disclaimer that my comments today represent my thoughts and not those of the Commission or my fellow Commissioners, but I am hopeful that some of my reflections will shape very important ongoing dialog on these issues.
We have, indisputably, arrived at a transformative moment in the development and evolution of global financial markets.
Last week, the Commodity Futures Trading Commission (CFTC or Commission) announced the resolution of litigation against Binance, one of the world’s largest crypto-trading platforms, as well as the now-former Chief Executive Officer and founder of Binance, Changpeng Zhao, and Binance’s former Chief Compliance Officer Samuel Lim.
The $4.35 billion overall penalty captured significant media coverage and headlines around the world. While both the size of the penalties and the coordination by law enforcement authorities—the CFTC, the U.S. Attorney’s Office, FinCEN, and OFAC—are remarkable, neither should overshadow a third issue that is very much worth noting as we consider the resolution of the litigation.
As I will explain shortly, there is common assumption that enforcement actions in the crypto or digital assets ecosystem connote bad actors or bad conduct. There is plenty of evidence to support this assumption. We frequently initiate actions that involve fast-talking or fast-typing fraudsters using various electronic platforms to convince customers seeking crypto investment opportunities to transfer cash, coins, or tokens to a platform or wallet that will yield unsurpassed interest or unimaginable returns from investments in digital assets.
Long after customers transfer cash, coins, or funds, the CFTC Division of Enforcement investigates and pulls back the curtain to reveal scammers who captured customer funds or assets and purchased yachts, luxury brand apparel, sports cars, or beachfront property.
Scammers are perfecting their craft, moving beyond garden variety fraud and age-old Ponzi schemes and orchestrating pig butchering and rug pulls. In every instance that we find and prosecute such behavior, the CFTC is exercising its broad jurisdiction in the spot market to prosecute fraud or market manipulation.
Returning again for a moment to the Binance resolution and the findings in the cases the CFTC initiated and resolved against three decentralized finance (DeFi) platforms in September, it is worth noting that these matters do not involve an allegation that defendants engaged in fraud or similar misconduct. Rather, in each of these cases the Commission charged defendants with failing to comply with Commission laws and regulations applicable to registered market participants.
In my time with you this afternoon, allow me to outline the CFTC’s authority to enforce in the context of cases alleging misconduct as well as our authority to introduce obligations designed to promote the integrity of markets. Incidentally, many of these corporate health and hygiene measures typically described as corporate governance and risk management protocols also enhance the integrity of the individual firms implementing these reforms.
Next, I will discuss the CFTC’s enforcement agenda in recent years with a focus on the last fiscal year and the cases initiated or resolved by the Commission, in particular several important digital asset cases brought in the aftermath of the crypto-winter crypto-market crises. In several of these cases, the defendants’ solvency or liquidity crises revealed misconduct in the digital asset ecosystem, and significant corporate governance and risk management failures played a critical role in escalating and, in some cases, amplifying the scope of the crisis.
In response to these observations, I have strongly advocated for the Commission to take steps to affirmatively introduce corporate governance and risk management reforms.
Finally, I will turn back to the Binance and recent DeFi resolutions, which reinforce the need for the reforms that I am advocating for the Commission to adopt and implement. These reforms will bring much needed guidance and regulatory clarity for market participants engaged in digital commodity markets.
Enforcement Jurisdiction in the Digital Asset Ecosystem
The Commodity Exchange Act establishes two of the most important mandates for the CFTC. First, the Commission has broad enforcement jurisdiction. The Commission may prosecute fraud and manipulation in interstate transactions involving any commodity.
Second, the Commission has exclusive jurisdiction to regulate derivative transactions involving commodity derivatives contracts including swaps, options and futures contracts.
With respect to enforcement, Section 6(c)(1) of the Commodity Exchange Act (CEA) and CFTC Regulation 180.1(a) allow the CFTC to prosecute fraud in connection with a contract of sale of a commodity in interstate commerce. This authority enables the CFTC to initiate enforcement actions that involve fraud in connection with digital assets that are commodities.
To date, the CFTC has initiated 134 enforcement actions against actors in the digital market economy. A significant majority of these cases allege that market participants engaged in fraud or misconduct, including several of the most important investigations and civil enforcement actions in crypto-markets to date.
Before turning to a few examples, it may be worth surveying the Commission’s enforcement statistics over the last several years.
Over the last year, the CFTC announced a total of 96 enforcement actions, bringing the total number of enforcement actions 20% higher than the previous fiscal year. These enforcement actions include 62 administrative cases and 34 civil injunctive cases.
The categories of cases announced included (1) manipulative conduct, false reporting, and spoofing; (2) supervision, financial integrity and business conduct; (3) system safeguards, reporting, and other regulatory violations by registered entities; (4) illegal off-exchange contracts and failure to register; (5) trade practice violations (including wash trades, fictitious trades, and violations of position limits); (6) reporting and recordkeeping violations; (7) misappropriation of material, non-public, confidential information; (8) statutory disqualification; and (9) fraud.
When we consider the 59 cases brought in the final category—fraud—one notes that the number reflects a marked uptick in conduct perpetrated by bad actors seeking to exploit the complexities of particularly novel financial products. During the last fiscal year, 49% of all of the enforcement actions alleging fraud involved transactions in digital asset markets. This represents a high watermark for the total number of crypto-fraud enforcement actions announced by the Commission.
Year over year for the last two fiscal years, the total number of enforcement actions alleging fraud has roughly doubled. Thus, the total number of crypto-fraud cases initiated by the Commission is almost five times higher than what it was just three years ago. This demonstrates the shocking speed with which participants are entering the market for this asset class as well as how quickly some are identifying ways to exploit it.
Significant Crypto-Fraud Cases
Last fall, within days of FTX filing for bankruptcy, I gave a speech at the Federal Reserve Bank of Chicago predicting that severe corporate governance and risk management failures played a significant role in FTX's collapse. More recently, at a speech at the Federal Reserve Bank of Atlanta, I shared reflections on the litigation against Celsius, Voyager, and Binance.
Several observations emerge from review of this sample of crypto cases.
First, all but one of the firms that the CFTC initiated an enforcement action against are currently seeking bankruptcy protection in U.S. bankruptcy courts. This outcome is deeply unfortunate for the many customers and creditors who may never receive full restitution for their deposits and investments in these firms.
Second, in multiple instances, transparency or the lack of transparency or any visibility into the business operations and risk management practices of the firms involved amplified customer losses and market disruption.
Finally, in several instances, a CEO with unbridled authority (an imperial CEO some might say) operated without the effective checks and balances provided by traditional and long-adopted corporate governance measures such as a majority independent board of directors, internal controls, audited financial statements, an independent auditor, and the extensive examinations of systems safeguards and segregation of customer funds.
There is increasing evidence that corporate governance and risk management programs are, at best, weak or marginalized and, at worst, do not exist at all for all too many firms in the maturing crypto or digital assets ecosystem. As I have previously observed,
What, one might ask, may be gained from studying crises? First, crises have the potential to create catastrophic costs for customers, creditors, investors, markets, and the domestic and global economy. Second, the factors that lead to corporate governance and risk management failures are often clearly identifiable, easily predicted, and often preventable. Third, firms that experience significant corporate governance and risk management failures often seek bankruptcy protection, only to later re-emerge from bankruptcy to solicit and expose new customers to devastating losses because the firms continue relying on the same deeply deficient (and possibly non-existent) governance, compliance, and risk management programs. Unfortunately, unless these firms learn from this experience and adopt a culture of compliance that effectively alters behavior and closes gaps in risk management and corporate governance, they will find themselves repeating the same cycle.
In a post-crisis period, what types of reforms would help to address these concerns? Before answering this question, let’s consider the cases against the three DeFi platforms earlier this fall and the resolution of the litigation against Binance.
Recent DeFi Enforcement Actions
Earlier this fall, the CFTC initiated cases against three DeFi operating companies: Opyn, Inc., Deridex, Inc., and ZeroEx, Inc. Each of these companies created blockchain-based software protocols and smart contracts that permitted users to engage in specific derivative or retail commodity transactions.
Opyn developed a digital asset derivative token called oSQTH. The value of oSQTH was tied to an index that Opyn created called Squeeth, whose value was defined by the price of the square of ether relative to the value of the stablecoin USDC. Investors could take long positions by purchasing oSQTH through Opyn’s website, and take short positions by depositing collateral, specifically 6.9 ether, or 150% of the value of the short position. This is a swap, and that is not just me or the CFTC saying so; Opyn itself described its token as “power perpetuals” that were “similar to a perpetual swap” that provided “options-like” exposure. Put more plainly: the token allowed investors to take a leveraged position in the value of ether, squared, without ever owning ether itself.
Deridex likewise operated a website that solicited investors to its Deridex Protocol. The Protocol allowed users to contribute collateral in order to establish a position with as much as 15x leverage—although Deridex allowed price fluctuations to increase the leverage to as much as 30x before requiring users to contribute more collateral or have their position liquidated. The remainder of the position was financed from a pool of assets supplied by other users of the Protocol, at an algorithmically determined interest rate. Payments on these “perpetual contracts,” as Deridex referred to them, would be exchanged based on the relative value of STABL2 and another virtual currency. Once again, a clear derivative position allowing users to take massively leveraged positions in the underlying digital assets.
The transactions offered by ZeroEx were the most straightforward of the three companies. ZeroEx created a customer-facing application called Matcha for its DeFi protocol (the 0x Protocol) that gave investors access to a variety of tokens. Among those tokens were, for example, a token called BTC 2x Flexible Leverage Index, that allowed purchasers to take a 2:1 leveraged position on the price of bitcoin, returning twice as much returns on an increase of the value of bitcoin, relative to the stablecoin USDC, as would be returned on owning bitcoin itself. Implicitly, of course, such a position would also return double the losses on a decline in the price of bitcoin.
The CFTC charged Opyn and Deridex with failing to register as a futures commission merchant (FCM), or a swap execution facility (SEF) or designated contract market (DCM), and failing to adopt a Customer Identification Plans (CIP) as part of a Bank Secrecy Act compliance program. The Commission also charged all three companies with illegally offering leveraged and margined retail commodity transactions in digital assets.
New(er) Technology, Same Risks
Over the last few months, I have continued to reiterate the value of introducing post-crisis corporate governance reforms.
Intermediaries serve a critical role in achieving this goal by reducing asymmetries of information that are present in any market but are particularly pronounced in digital assets given the opacity of the business models. As I said at the time that the CFTC announced the three DeFi cases:
[T]here may be a shroud obscuring information regarding the design and deployment of critical operational infrastructure, necessary risk management and corporate governance protocols (including policies governing conflicts of interest such as conflicts involving affiliated entities), sufficient liquidity reserves (effective recovery and resilience plans), dedicated commitment to the segregation of customer funds and separation of customer property, cyber risk resilience, or general system safeguards. In the dark, it may be difficult for customers to appreciate real risks and for regulators to use traditional surveillance tools to prevent fraud and market manipulation.”
When firms begin to operate in our markets creating certain types of risks for customers, creditors, investors, and inherently, the firm’s likely success, we typically impose a standard set of corporate governance and risk management obligations.
Introducing Corporate Governance Reforms
I want to end where I started, which is discussing last week’s resolution with Binance. Similar to the DeFi cases, the action against Binance did not allege acts of fraud. Instead, the complaint charged the defendants with offering and executing illegal off-exchange futures, options, and retail commodity transactions; failing to register as an FCM, and a DCM or SEF; failing to diligently supervise, including failing to maintain a CIP, know your customer (KYC) procedures, or an anti-money laundering (AML) program; and conducting activities designed to willfully evade requirements of the CEA and Commission Regulations.
The failure to register meant a failure to maintain KYC programs and CIPs, vastly inhibiting not only the CFTC’s ability to protect customers, but also our ability to ensure that our financial markets are not used to facilitate illicit transactions. The crypto-economy has faced these concerns basically from its inception, and recent studies of the market have found that the use of digital assets for drug trafficking, fraud, cybercrime, sanctions evasions, and other illegal activity is both persistent and increasing.
A New Approach: The Binance Resolution
As I mentioned earlier, however, one of the most interesting aspects of the Binance case is its implications for how the Commission can regulate the digital assets market, specifically the compliance obligations that the consent order imposes on Binance. As part of the resolution, Binance now needs to maintain three independent members of its Board of Directors—and now-former CEO Changpeng Zhao cannot be a member—and it must stand up Compliance and Audit Committees of the Board.
Binance agreed to significant improvements to its compliance program. Binance will now require all accounts to complete an onboarding program, and it will not permit sub-accounts to operate without also undergoing the same KYC procedures. Binance accounts may be operated only by the account registrants, or by additional permitted users who have also undergone KYC/AML onboarding. And to ensure that Binance can no longer turn a blind eye to having derivatives customers located in the United States, and thus to being subject to CFTC regulatory jurisdiction, Binance will operate a Nationality of Business Entity Checklist.
Board independence, KYC and AML procedures, required onboarding—these are foundational basics of corporate governance and compliance programs. And through this enforcement action, the CFTC has been able impose these requirements on a cryptocurrency exchange that has never been registered and remains so. The case is a landmark moment in the CFTC’s oversight of the digital asset market and market participants.
Enforcement actions are not a replacement for comprehensive regulatory reform, and the CFTC does not intend to treat them that way. A regulatory regime defines the rules of the road for all market participants, the vast majority of whom want in good faith to know how their crypto products can comply with CFTC obligations.
I have spent significant time in recent months calling on legislators and regulators in general, and the CFTC in particular, to develop a comprehensive regulatory regime encompassing digital assets. Today, however, I am focusing on how our enforcement actions have created guardrails for the digital asset market in the absence of governmental action specifically tailored to the crypto-economy.
A well-defined rulemaking process would impose far more requirements on crypto-intermediaries than we could ever expect to achieve via an enforcement action. But until such rules are better defined, enforcement actions play a critical role in protecting investors in our markets and ensuring that our markets remain robust and resilient.
 Press Release No. 8825-23, CFTC, Binance and Its CEO, Changpeng Zhao, Agree to Pay $2.85 Billion for Willfully Evading U.S. Law, Illegally Operating a Digital Asset Derivatives Exchange, and Other Violations (Nov. 21, 2023), https://www.cftc.gov/PressRoom/PressReleases/8825-23.
 7 U.S.C. § 9(1); 17 C.F.R. § 180.1(a) (2022).
 7 U.S.C. § 2(a).
 Press Release No. 8822-23, CFTC, CFTC Releases FY 2023 Enforcement Results (Nov. 7, 2023), https://www.cftc.gov/PressRoom/PressReleases/8822-23.
 See Kristin N. Johnson, Commissioner, CFTC, Federal Reserve of Chicago Financial Markets Group Fall Conference, Investing in Investor Protection (Nov. 16, 2022); see also Nahiomy Alvarez, Nomaan Chandiwalla, Alessandro Cocco, 2022 Financial Markets Group Fall Conference–Recap (Feb. 6, 2023), https://www.chicagofed.org/publications/blogs/chicago-fed-insights/2023/2022-fmg-fall-conference-recap.
 Kristin N. Johnson, Commissioner, CFTC, Policing the (Token) Economy: Introducing Corporate Governance and Market Structure Reforms in Crypto and Environmental Commodities Markets (Nov. 13, 2023), https://www.cftc.gov/PressRoom/SpeechesTestimony/opajohnson8.
 Kristin N. Johnson, Commissioner, CFTC, Mitigating Crypto-Crises: Applying Lessons Learned in Governance, Risk Management, and Compliance (Jan. 26, 2023), https://www.cftc.gov/PressRoom/SpeechesTestimony/opajohnson2.
 Press Release No. 8774-23, CFTC, CFTC Issues Orders Against Operators of Three DeFi Protocols for Offering Illegal Digital Asset Derivatives Trading (Sept. 7, 2023), https://www.cftc.gov/PressRoom/PressReleases/8774-23.
 In re Opyn, Inc., CFTC No. 23-40, 2023 WL 5937238, at *2 (Sept. 7, 2023), available at https://www.cftc.gov/media/9211/enfopynorder090723/download.
 In re Deridex, Inc., CFTC No. 23-42, 2023 WL 5937236, at *2 (Sept. 7, 2023), available at https://www.cftc.gov/media/9221/enfderidexorder090723/download.
 In re ZeroEx, Inc., CFTC No. 23.41, 2023 WL 5937239, at *2 (Sept. 7, 2023), available at https://www.cftc.gov/media/9216/enfzeroexorder090723/download.
 Kristin N. Johnson, Commissioner, CFTC, Statement Regarding CFTC Resolving Charges Against Three Decentralized Finance Companies: The Need for Oversight (Sept. 7, 2023), https://www.cftc.gov/PressRoom/SpeechesTestimony/johnsonstatement090723b.
 See, e.g., Financial Crimes Enforcement Network, FinCEN Proposes New Regulation to Enhance Transparency in Convertible Virtual Currency Mixing and Combat Terrorist Financing (Oct. 19, 2023) (“The lack of transparency surrounding international [convertible virtual currency] mixing activity is an acute money laundering and national security risk, and increasing transparency in connection with this activity is a key component to denying illicit actors access to the U.S. and global financial systems . . . and counter the efforts of terrorist groups . . . .”), https://www.fincen.gov/news/news-releases/fincen-proposes-new-regulation-enhance-transparency-convertible-virtual-currency; Department of the Treasury, 2022 National Money Laundering Risk Assessment, at 41 (Feb. 2022) (“U.S. law enforcement agencies have detected an increase in the use of virtual assets to pay for online drugs or to launder the proceeds of drug trafficking, fraud, and cybercrime, including ransomware attacks . . . , as well as other criminal activity, including sanctions evasion.”), https://home.treasury.gov/system/files/136/2022-National-Money-Laundering-Risk-Assessment.pdf.