On 8th November 2018, the US Securities and Exchange Commission (SEC) announced that it had settled charges against Zachary Coburn, founder of decentralised exchange EtherDelta. This is the SEC’s first ruling against an unlicensed decentralised exchange but its fourth enforcement action since the 1 SEC’s new Cyber Unit was launched in September 2017. More importantly, is also the first decision of a regulator globally addressing the personal legal liability of a developer and deployer of decentralized operated code. Obviously, the view of SEC does not necessarily have an implication on how other jurisdictions and regulators approach the question. Nevertheless, it is the first opinion of a regulator on the topic and therefore will remain to have an importance on the future discussion of the matter. As such, it is worth to analyse it in more detail .
According to the Order , the SEC has established that EtherDelta is an online platform for secondary market trading of ERC20 tokens and has “provided a marketplace for bringing together buyers and sellers for digital asset securities through the combined use of an order book, a website that displayed orders, and a “smart contract” run on the Ethereum blockchain.” The SEC also explained that “EtherDelta's smart contract was coded to validate the order messages, confirm the terms and conditions of orders, execute paired orders, and direct the distributed ledger to be updated to reflect a trade”. In so doing, EtherDelta was in violation of Section 5 of the Securities Exchange Act of 1934 which states that an exchange, among other things, provides a “marketplace or facilities for bringing together purchasers and sellers of securities”.
So what’s interesting about this case?
Unsurprisingly, at least some of the tokens bought and sold on EtherDelta were understood by the SEC to be ‘securities’. The SEC has not clarified which - or how many - of these tokens fell under this category. Interestingly, the SEC took as a given that some of the tokens traded on EtherDelta were securities because the smart contract underlying the platform lacked any mechanism to restrict which tokens were traded.
The interesting part of the Order is that SEC concluded that it was irrelevant that EtherDelta used decentralised technology since it still operated as an exchange. Indeed, the Order focused on the ‘exchange-like’ functionality and appearance of the user interface and argued that the website appeared and functioned like a traditional securities exchange since it provided access to an order book, information about users’ daily transaction volumes per token, market depth charts and a list of users’ confirmed trades. The SEC particularly highlighted the fact that users could interact with the EtherDelta smart contract without either running an Ethereum node, or otherwise having an understanding of the details of blockchain technology.
This is significant since there has been much debate about whether existing regulation and legislation can and should be applied to decentralised operated code, such as exchanges, since they operate in a different way from traditional, centralised exchanges. A centralised exchange is usually operated by an individual legal entity, has custodianship over its clients’ assets and serves as a middleman connecting buyers and sellers. In comparison, decentralised exchanges (DEXs) tend to connect users directly and operate autonomously through self-executing smart contract code. At the moment, two kinds of decentralised exchanges seem to be emerging: custodial and non-custodial. With the former there is typically a smart-contract in between the two parties exchanging goods, lacking a central provider operating the code (post-deployment) or controlling the users assets. The assets will be temporarily held in the smart-contract and then settled accordingly by the code. Examples include Oasis Dex, IDEX, Etherdelta, and DEXY. With non-custodial DEXs the assets of a buyer/seller never leave their wallet unless an exchange is confirmed by the smart-contracts. The transaction then occurs directly in a peer-to-peer manner similar to on-chain transfers. The assets being exchanged go directly from one wallet address to another. Examples of these kinds of DEXs include 0x, Ethfinex, Kyber Network, Uniswap and Airswap. However, as Robert Cohen, the chief of the SEC’s new Cyber Unit explains in Forbes,
“The focus is not on the label you put on something or the technology you’re using. The focus is on the function, and what the platform is doing. Whether it’s decentralised or not, whether it’s on a smart contract or not, what matters is it’s an exchange.”
Because decentralised exchanges can be set-up to operate autonomously, they can continue once deployed without any action on the part of the original creators. This makes DEXs notoriously difficult to shut down once deployed. The practical enforcement challenges related to the autonomous nature of DEXs in particular give rise to questions regarding regulation and liability which are being discussed in various jurisdictions around the globe: Since it is the code which is carrying out the activity which is regulated, can the developers and deployers of such code be held responsible for compliance on the platform?
In its ruling, the US regulator answered in the affirmative - at least in relation to the particular case at hand. As Cohen has stated, “using blockchain to create an exchange without central operations doesn’t remove the original creator’s responsibility”. So, in a relatively unprecedented move, the SEC filed charges against Coburn himself on the basis that he had ‘caused’ EtherDelta to operate as an unregistered securities exchange and thereby violate the Securities Act. This is the first decision globally against the creator/developer of a DEX.
Fourth, Coburn agreed to pay a total of $388,000 in disgorgement, prejudgment interest and penalty fees. Given that EtherDelta’s users executed more than 3.6 million orders for tokens during the 18 month period between Coburn founding and selling EtherDelta, it might seem like quite a small financial settlement. It could well mean that the SEC does not want to hinder innovation in this space, but simply wants to send a message that it can and will enforce securities laws.
Does this ruling mean that developers are going to be liable for the use of smart contract platforms they develop from now on? In order to establish that Coburn himself was liable, the SEC demonstrated that:
- EtherDelta had violated securities laws
- Coburn caused EtherDelta to violate the Securities Exchange Act and
- that Coburn knew or should have known that his actions would cause EtherDelta to violate securities laws.
Thereby, much of the Order focused on how Coburn himself had control - and therefore personal liability - over the EtherDelta platform. It describes how Coburn received commercial benefits and effective business control over the platform. Order fees flowed to a wallet controlled by Coburn and points to the fact that Coburn had sole control over the ‘administrator account’ private key which permitted changes to the platform’s code. In reality, the only change he could make was to adjust order fees. Even though this control was minimal, it was commercially relevant. Coburn specifically set fees for posting asks at zero so as to encourage sellers to come to the platform, thereby generating market depth and increasing his fees overall from the buyer side. In addition, the SEC also seemed to find the fact that EtherDelta maintained its order book on a private server, rather than on the Ethereum blockchain itself highly relevant.
The Order against Coburn is highly fact-specific and in the view of the authors does not mean that software developers may be generally held liable for the functions of the smart contract platforms they have developed. Indeed, and as set forth above, EtherDelta was to a large extent operated like a traditional centralized exchange, only using decentralised technology for part of its technical setup and with central control and in particular transaction fees benefiting the developer and operator of the platform. With this background, it is unsurprising that the SEC concluded that it does not matter if the founder of EtherDelta also uses decentralized technology to operate the exchange platform.
In addition, practically and technically speaking, filing charges against the individuals behind DEXs may well be the easiest (and only) way to enforce regulatory and legal compliance. Indeed, this case is likely the result of that difficulty in enforcement, combined with long-standing trends at the SEC toward increased use of personal liability to ensure compliance. Some have predicted that future DEX operators may well be incentivised to launch their exchanges anonymously in order to avoid detection and prosecution. However, we believe that developments such as these simply require more engagement with regulators, not less.
Decentralising decentralised exchanges?
In the Order, the SEC s focuses on EtherDelta’s operations which remained centralised under Coburn’s control. This then begs the question - if EtherDelta had been more decentralised would the charges have been brought against Coburn? This case may be one in a line from US regulators recognising the validity of decentralisation, but holding platforms and developers to high standards on what constitutes true decentralisation. If so, the case gives us some guidelines as to what those requirements might be:
- No commercial control. It’s not clear whether merely receiving the fees from the platform was fatal to Coburn’s position, but combined with his ability to manipulate the fees in order to increase business volume, EtherDelta was insufficiently decentralised.
- No data control. Hosting information on a private server – and not directly on a public blockchain – appears relevant to decentralisation. This makes intuitive sense, given the myriad privacy obligations regarding financial data, and suggests a distinction between systems run fully on a blockchain versus other, more hybrid operations.
Even though EtherDelta did operate as a decentralised exchange, there were a number of elements which remained centralised under Coburn’s control - such as transaction fees - which means that some of the critical legal questions raised by this case remain unanswered. In particular, this case has not settled the issue of whether developers are liable for the truly decentralized code they develop or clarified the liability of individuals deploying such code to a blockchain protocol. With regard to the SEC, there are two points which are particularly instructive. The first is that the SEC seems more concerned with ‘interfaces’ than ‘infrastructure’. Indeed, the Order was far more preoccupied with the user-friendly interface of the EtherDelta platform than the core functionality of its smart contract. Second, there may well be more enforcement actions against individuals but since this ruling settled - Coburn neither denied nor accepted the charges - it does little to set a precedent. The SEC will likely, however, consider much of the world ‘on notice’ following this case, and rely upon that when establishing intent in future enforcement actions.
What would have been the potential outcome if the Swiss Regulator, FINMA, w ould have had to assess the matter? Most likely very similar: In its report on distr ibuted ledger technology in Switzerland published in December 2018, the Federa l Council provided an overview on the applicable regulatory regimes for decentra lised exchanges. It needs to be noted that the federal council indeed acknowledg ed the fact that decentralised structures may fall outside of the scope of existing financial market and AML regulations.
But how to define “decentralised” in this context? We shall provide an in-depth analysis on this question soon. However, it seems almost obvious that using dez entralised software for a limited part of an otherwise centralised operated exchan ge would not qualify as a “decentralized” structure. Using blockchain to create a n in essence centralised operated exchange doesn’t remove the original creator’s and operator’s responsibility. It therefore can be said that the Swiss legislator wo uld likely have treated the EtherDelta case similar as the SEC did.