Natural persons and legal entities are potentially jointly and severally liable for all of a decentralized autonomous organization's (DAO) violations of the Commodity Exchange Act (CEA) and Commodity Futures Trading Commission (CFTC or Commission) regulations if they participate in the governance of the DAO through voting of the DAO's governance tokens, charged the CFTC in two related enforcement actions filed on September 22.

This is because the CFTC stated that DAOs are equivalent to unincorporated associations. As a result, persons who participate by voting the DAO's governance tokens are members of such an association and thus, claimed the CFTC, personally, jointly and severally liable, for up to all of the debts of such DAO, relying on state law principles. By analogy, such persons also are potentially, personally, both jointly and severally liable for all of the DAO's violations of the CEA and CFTC regulations, posited the CFTC.

This never-before-application of principles of state law with no basis in the CEA or CFTC regulations was relied on by the CFTC in one enforcement action filed and currently pending in the United States District Court of California, CFTC v. Ooki DAO (Pending Action),1 and in another enforcement action filed as an administrative matter before the CFTC against a legal entity that was the predecessor of Ooki DAO, bZeroX, LLC (bZeroX), and its two founders, Tom Bean and Kyle Kistner, that was simultaneously settled ("Settlement;" collectively, the Pending Action and Settlement, the "CFTC DeFi Actions").2

Filing a dissent to the Settlement, CFTC Commissioner Summer Mersinger decried the novel legal theory employed by the CFTC to exercise jurisdiction over Mr. Bean and Mr. Kistner.3 According to Ms. Mersinger, "[w]hile I do not condone individuals or entities blatantly violating the CEA or our rules, we cannot arbitrarily decide who is accountable for those violations based on an unsupported legal theory amounting to regulation by enforcement while state and federal policy is developing."4

Although in neither the Pending Action nor the Settlement did the CFTC cite any authority within the CEA or CFTC regulations to support the Commission's theory of potential liability on persons who vote a DAO's governance tokens, the CFTC DeFi Actions are worrisome developments for persons participating in DAOs and other decentralized finance protocols. The enforcement actions suggest that DAO participants should simply not vote using their governance tokens. After all, both the Pending Action and the Settlement propose that while persons who vote their governance tokens are potentially part of the DAO's unincorporated association; those that do not, are not. As noted by Commissioner Mersinger,

[d]efining the Ooki DAO unincorporated association as those who have voted their tokens inherently creates inequitable distinctions between token holders. For example, suppose that during the period in which token holders A and B hold voteable DAO tokens: i) there is a single vote on a governance proposal, which has nothing to do with compliance with the CEA or CFTC rules; and ii) token holder A votes on it, but token holder B does not. Under the Commission's definition, token holder A has now become a member of the unincorporated association and (possibly unknowingly) assumed personal liability and is subject to CFTC sanctions for any violations of the CEA by the Ooki DAO—whereas token holder B, by the happenstance of not voting on this random governance proposal, has not.5

Background

The term "decentralized finance" or "DeFi" broadly encompasses "… a set of newly emerging financial products and services that operates on decentralized platforms using blockchains to record and share data."6 DeFi protocols may facilitate borrowing and lending, payments, or asset management of crypto assets or exchange activities involving crypto assets and/or derivatives on such instruments, all on a non-custodial, peer-to-peer basis without reliance on traditional financial intermediaries Central to DeFi protocols is the use of programmable smart contracts.7

DeFi protocols may be administered by natural persons or traditional legal entities such as corporations, or, frequently, by DAOs. DAOs are autonomous organizations that also are smart contracts, and often operate pursuant to the consensus of the relevant community, as evidenced by the voting of governance tokens issued by the DAO that are also utilized in the relevant DeFi protocol that the DAO administers. Likely, the most famous (or infamous) of DAOs is the DAO that was the subject of the Securities and Exchange Commission's (SEC) 2017 Report of Investigation8 where the SEC first proposed that cryptoassets could constitute an investment contracts under the Supreme Court's 1946 decision, SEC v. W.J. Howey,9 and thus securities under US securities laws, requiring registration by the issuer in order for the cryptoasset to be offered and sold in the United States to investors, unless an exemption applied.

Many regulators – both in the United States and abroad – have expressed significant concern regarding DeFi protocols because they are typically not registered with any financial regulator, and do not typically comply with laws governing anti-money laundering (including know your customer) and sanctions compliance. According to Dan Berkovitz, a former CFTC commissioner and currently the SEC's General Counsel,

One of the key reasons our financial system is so strong is the legal protections that investors enjoy when they invest their money in U.S. markets, most often through intermediaries. We have a system in which intermediaries are legally accountable for protecting customer funds. In many instances, such as in the clearing system, if a counterparty fails to perform, an intermediary will make the customer whole.

In a pure "peer-to-peer" DeFi system, none of these benefits or protections exist. There is no intermediary to monitor markets for fraud and manipulation, prevent money laundering, safeguard deposited funds, ensure counterparty performance, or make customers whole when processes fail.

[W]e should not permit DeFi to become an unregulated shadow financial market in direct competition with regulated markets.10

Current SEC Chairman, Gary Gensler, also has been vehement in statements regarding DeFi platforms, claiming that if "there are securities on these trading platforms, under our laws they have to register with the [SEC] unless they meet an exemption. Make no mistake, if a lending platform is offering securities, it also falls into SEC jurisdiction."11

In a comprehensive overview of DeFi earlier this year, the International Organization of Securities Commissions (IOSCO) noted that,

[a]lthough DeFi has been presented as providing certain benefits, it also presents numerous risks to participants, including to investors and the markets, currently and as it develops. The DeFi market and its participants in many respects have operated to date either outside the scope of existing regulatory frameworks or, in some jurisdictions, in non-compliance with applicable regulations.12

According to IOSCO, among the risks posed by DeFi protocols include asymmetry and fraud risks; market integrity risks; front running; use of leverage; illicit activity risks; operational and technology-based risks; cybersecurity; and governance risks.13 There also is the risk of a spill‑over of DeFi risks to centralized, traditional markets.14

However, few if any DeFi protocols have registered with appropriate regulators. According to SEC Commissioner Caroline Crenshaw, "… no DeFi participants within the SEC's jurisdiction have registered with us, though we continue to encourage participants in DeFi to engage with the staff."15

Moreover, it is conceptually difficult, if meaningless, to sue computer code – the backbone of smart contracts. As Lael Brainard, Vice Chairperson of the Board of Governors of the Federal Reserve System recently acknowledged,

[w]hile regulatory frameworks clearly apply to DeFi activities no less than to centralized crypto activities and traditional finance, DeFi protocols may present novel challenges that may require adapting existing approaches. The peer-to-peer nature of these activities, their automated nature, the immutability of code once deployed to the blockchain, the exercise of governance functions through tokens in decentralized autonomous organizations, the absence of validated identities, and the dispersion or obfuscation of control may make it challenging to hold intermediaries accountable.16

As evidence of this, in 2018, the SEC brought an action involving a DeFi trading platform – EtherDelta – that listed alleged securities tokens. The SEC claimed that EtherDelta should have been registered as a national securities exchange (NSE) under applicable law, but was not. However, in its Order instituting an enforcement action and settlement, the SEC did not name the decentralized protocol itself, but solely the individual who the SEC alleged wrote and deployed the smart contract underlying the trading platform.17

In the Matter of Zachary Coburn, the SEC alleged that Zachary Coburn was the founder of EtherDelta, "an online platform that allows buyers and sellers to trade certain digital assets – Ether and 'RC20 tokens' in secondary market trading."18 Because, in the SEC's view, Mr. Coburn "exercised complete and sole control over EtherDelta's operations," he "should have known" that his actions would cause EtherDelta to violate applicable law that required the trading platform to be registered as an NSE.19 The SEC charged Mr. Coburn with an express provision of the Securities Exchange Act of 1934, as amended (Exchange Act) that makes a person liable if he/she "… would be a cause of another Exchange Act violation" "due to an act omission the person knew or should have known would contribute to such violation."20 The SEC did not commence an action against EtherDelta – the smart contract programmed as a trading platform – itself.

The CFTC Enforcement Actions

In the CFTC DeFi Actions, the CFTC took a similar but subtly different approach than the SEC in EtherDelta.

In the Settlement, the CFTC alleged that the bZx Protocol was a collection of smart contracts on the Ethereum Blockchain that enabled persons to engage in the leveraged trading of various cryptocurrency trading pairs without actual delivery occurring within 28 days (Leveraged Commodity Transactions). As a result, the CFTC claimed that the bZx Protocol acted as a futures commission merchant (FCM) but was not registered with the CFTC in such capacity, and transacted in Leverage Commodity Transactions for persons that were not so-called "Eligible Contract Participants" (e.g., retail persons) other than on a registered CFTC exchange (i.e., a designated contract market), as required by applicable law. Additionally, the CFTC alleged that the bZx Protocol did not comply with anti-money laundering requirements mandated for all FCMs – whether registered or not.21

As in EtherDelta, the CFTC did not sue the DeFi protocol itself, but charged the legal entity that, during the relevant period, created and operated the bZx Protocol, namely bZeroX, LLC (bZeroX), a Delaware limited liability company. The CFTC also sued Tom Bean and Kyle Kistner, who founded, co-owned and controlled bZeroX during the relevant period. The CFTC claimed that Mr. Bean and Mr. Kistner were liable for bZeroX's violations of the CEA and CFTC regulations as controlling persons of bZeroX as the individuals "knowingly induced the violations by bZeroX, directly or indirectly, or did not act in good faith."

After time, bZeroX transferred control of the bZx Protocol to bZx Dao, a DAO, that later renamed itself Ooki DAO (later, the Ooki DAO renamed the bZx Protocol the Ooki Protocol).

The CFTC alleged that the Ooki DAO is an unincorporated association "comprised of holders of Ooki DAO Tokens … who vote those tokens to govern (e.g., modify, operate, market and take other actions with respect to) [the Ooki Protocol]."22 Among those holders, claimed the CFTC, were Mr. Bean and Mr. Kistner.

The CFTC did not name either the autonomous bZx Protocol or Ooki DAO in the Settlement. Instead the CFTC charged that Mr. Bean and Mr. Kistner were liable for Ooki DAO's CEA and CFTC regulations' violations as members of Ooki DAO. The CFTC claimed that since, under state law, members of an unincorporated association are jointly and severally liable for the debts of the association, members of an unincorporated association like Ooki DAO are personally liable for the Ooki DAO's violations of the CEA and CFTC regulations. The CFTC cited no provision under the CEA or CFTC regulations in support of this proposition.

To settle the Settlement, bZeroX, Mr. Bean and Mr. Kistner agreed, jointly and severally, to pay a fine of $250,000, cease and desist from future violations of the relevant provisions of the CEA and CFTC regulations, and other sanctions.

Separately, however the CFTC named the Ooki DAO in a parallel enforcement action filed in a federal court in California and sought sanctions (including a cease and desist order and fine) against Ooki DAO "including all members of the Ooki DAO (i.e., Ooki [governance] Token holders who voted their Ooki Tokens to govern the Ooki DAO by, for example, directing the operation of the Ooki protocol) …"23 These members will likely include persons who, unlike Mr. Bean or Mr. Kistner, were not principally responsible for the initial creation and programming of the Ooki Protocol, but anyone who held and voted Ooki DAO Tokens no matter how minor their participation.

The decision of the CFTC to potentially include all persons who voted Ooki Tokens, and not just the principal organizers of Ooki DAO, relying on an untested legal theory, was clearly an intentional decision to convey a message to the DeFi community.24 This is because the CFTC already has in its enforcement arsenal a provision that enables it to file enforcement actions against a person who "willfully aids, abets, counsels, commands, induces or procures the commission of, a violation of any, of the provisions" of the CEA or CFTC regulations, namely a prohibition against aiding and abetting a violation."25 The CFTC has frequently relied on this provision to charge persons who it believes materially contributed to others' violations of the CEA or CFTC regulations.26

However, whereas proving aiding and abetting requires the CFTC to demonstrate a defendant's willfulness, the state-law theory relied on by the CFTC in its DeFi Actions implicates voters of DAO governance tokens on a strict liability basis.

Commissioner Mersinger expressly raised concerns regarding the broad potential sweep of the CFTC's approach in her dissent to the Settlement and questioned why the CFTC did not proceed solely against Mr. Bean and Mr. Kistner under its aiding and abetting authority.

I am disappointed that the Commission has decided to proceed in this manner since there is a better path available. The Commission could have decided to proceed in a manner that: i) is appropriately based on a person's culpability rather than status; ii) is grounded squarely in the authorities granted to the CFTC by the CEA; and iii) would avoid all the concerns that I have expressed above. That is, the Commission could have found Bean and Kistner personally liable for Ooki DAO's violations based on the aiding-and-abetting provisions of Section 13(a) of the CEA.27

Conclusion and Recommendations

The CFTC's theory that all persons who vote governance tokens in a DAO (which is an unincorporated association) are effectively members of the DAO and therefore, personally are jointly and severally liable for all CEA and CFTC regulations' violations by the DAO, has not yet been affirmed by any court. However, participants in DeFi protocols controlled by a DAO must take notice of the CFTC's approach, which could be emulated by the SEC or another regulator. One possible mitigant against potential CFTC action appears to be not voting a DAO's governance tokens. This approach, however, could have unintended consequences as noted by Commissioner Mersinger, as it could preclude persons from voting to make a DeFi protocol more regulatorily compliant.