Fintech Regulatory Updates
7 November 2024
By Ariel Yosefi, Eden Lang, Dima Zalyalyeyev, Yonatan Glatt and Gal Mechtinger.
Dear clients and friends,
We are pleased to highlight below some key regulatory developments and events from the recent months, affecting various sectors in the fintech industry, including crypto, online trading and derivatives, payments and financial services.
Our fintech and crypto team is helping our clients in monitoring and navigating the evolving regulatory environment for cross-border activities.
We will be happy to further review and elaborate on each of these updates, their implications and any other questions you may have.
Crypto, Forex and Derivatives
United States
US Treasury Targets Russian Crypto Exchanges Linked to Cybercrime (link) | On 26 September 2024, the US Department of the Treasury announced a series of coordinated actions against Russian-linked virtual currency exchangers and cybercrime facilitators involved in money laundering activities tied to ransomware and other illicit actions. The Financial Crimes Enforcement Network (FinCEN) has issued an order that identifies PM2BTC – a Russian virtual currency exchanger associated with Russian individual Sergey Sergeevich Ivanov (Ivanov) – as being of a “primary money laundering concern” in connection with Russian illicit finance. Concurrently, the Office of Foreign Assets Control (OFAC) has sanctioned Ivanov and Cryptex – a virtual currency exchange registered in St. Vincent and the Grenadines and operating in Russia.
According to the US Treasury, PM2BTC provided direct crypto-to-ruble exchange services using US-sanctioned financial institutions and has failed to maintain a credible and effective anti-money laundering and know your customer (KYC) program. FinCEN found that nearly half of PM2BTC’s exchange activity had links to illicit activity. Cryptex, too, has received over $51.2 million in funds derived from ransomware attacks and is associated with over $720 million in transactions to services frequently used by Russia-based ransomware actors and cybercriminals. The Treasury also announced that other US and Dutch law enforcement agencies have taken coordinated actions against the exchanges, including seizure of web domains and/or infrastructure associated with PM2BTC and Cryptex. |
SEC Charges Entities Operating DeFi Platform Mango Markets for Unregistered Offers and Sales of Governance Tokens (link)
|
On 27 September 2024, the US Securities and Exchange Commission (SEC) filed settled charges against alleged participants in the unregistered offer and sale of crypto assets called “MNGO” tokens, as well as for unregistered broker activity carried on the DeFi trading platform Mango Markets.
The SEC lawsuit targets three defendants involved in the development and operation of Mango Markets: Mango Labs, a Wyoming corporation; Blockworks Foundation, an entity incorporated and domiciled in Panama; and Mango DAO, the platform’s governing body. According to the charges, in August 2021, Mango DAO and Blockworks Foundation held an ICO of MNGO, raising over $70 million by offering 500 million tokens to global investors, including US investors. Blockworks Foundation managed the sale website and promoted it across various channels, including social media. The SEC alleged that Mango DAO and Blockworks Foundation did not require KYC verification, allowing US investors to buy MNGO tokens. Discussions on social media suggested using VPNs to bypass restrictions, and the sale website received significant traffic from US users. The SEC argues these factors indicated that the geographical restrictions were ineffective in preventing US participation. Additionally, the SEC contends that, alongside the ICO, Blockworks Foundation and Mango Labs acted as securities brokers for tokens on the Mango Markets platform. They provided significant managerial efforts to develop the platform before and after the Token Sale, including coding, creating website content, managing social media channels, and participating in governance proposals. Without admitting the allegations, the three entities agreed to settle, paying nearly $700,000 in civil penalties, destroying their MNGO tokens, and refraining from future solicitation of trading MNGO. |
SEC Charges Flyfish Club for Unregistered Offering of NFTs (link)
|
On 16 September 2024, the SEC charged Delaware-incorporated company Flyfish Club, LLC with conducting an unregistered offering of non-fungible tokens (NFTs). The sale raised approximately $14.8 million to fund a NYC members-only restaurant, Flyfish Club. Between August 2021 and May 2022, Flyfish sold around 1,600 NFTs, which were marketed as exclusive private memberships, leading investors to expect profits from their investments.
The SEC’s order noted that Flyfish engaged in extensive marketing, promoting the NFTs as investment opportunities. Investors were informed they could potentially profit by reselling their NFTs or leasing them for passive income. Notably, 42% of investors purchased multiple NFTs, despite only needing one for membership. Without admitting the allegations, Flyfish agreed to a cease-and-desist order, pay a $750,000 civil penalty, and comply with specific undertakings. These included destroying all unsold Flyfish NFTs still in the company’s possession by a specified deadline and ceasing the collection of any royalties from secondary market trades involving the NFTs. |
SEC’s Wells notice to OpenSea tags NFTs as Unregistered Securities (link)
|
On 28 August 2024, NFT marketplace OpenSea announced it received a Wells Notice from SEC – a letter informing the platform of potential enforcement action for allegedly selling unregistered securities. OpenSea, in response, has rejected these claims, arguing that NFTs are primarily digital collectibles and creative assets, not securities. The platform emphasized that its users engage with NFTs for reasons like gaming, art, or fandom rather than financial speculation. The company has expressed concern that the SEC’s actions may stifle innovation in the NFT space by creating regulatory uncertainty and pushing for regulation by enforcement instead of clear guidelines. |
Crypto Exchange Crypto.com Sues the SEC for Regulatory Overreach After Receiving Lawsuit Warning (link)
|
Centralized crypto assets exchange Crypto.com filed on October 8, 2024 a lawsuit against the SEC, asserting that the federal agency unlawfully expanded its jurisdiction “beyond statutory limits”. The complaint challenges the SEC’s attempts to regulate secondary-market sales of certain “network tokens” on Crypto.com’s platform. The SEC threatened enforcement actions against Crypto.com, classifying these tokens as “Crypto Asset Securities,” a term that Crypto.com argues the SEC invented without any statutory grounds. Crypto.com claims that these tokens, including SOL, ADA, BNB, FIL, FLOW, and others, are not securities under the Securities Act of 1933 or the Exchange Act of 1934. Additionaly, Crypto.com argues that the SEC’s treatment of these tokens is arbitrary and capricious, as the agency has classified them differently from Bitcoin and Ether despite their functional similarities. Crypto.com announced that it decided to sue the SEC following receipt of a “Wells Notice”, indicating upcoming enforcement action against the exchange.
The lawsuit further alleges that the SEC has overreached its authority by using enforcement actions to introduce new regulatory standards without following proper procedures, such as formal rulemaking under the Administrative Procedure Act (APA). Crypto.com is seeking declaratory and injunctive relief, asking the court to rule that the targeted network tokens are not securities, that Crypto.com does not act as an unregistered securities broker-dealer, and to prevent the SEC from enforcing its “Crypto Asset Security” rules against the company. |
CFTC Orders Uniswap Labs to Stop Offering of DeFi Crypto Derivatives (link)
|
On 4 September 2024, the US Commodity Futures Trading Commission (CFTC) charged Universal Navigation Inc. a Delaware company d/b/a “Uniswap Labs”, for offering illegal digital asset derivative transactions without proper registration. Uniswap labs developed and maintains a web interface access to the Uniswap Decentralized Finance (DeFi) protocol, which allows users to trade in liquidity pools, including some that provided leveraged exposure to cryptocurrencies like Bitcoin and Ethereum. According to CFTC staff, these leveraged tokens qualified as “leveraged or margined commodity transactions” under the agency’s jurisdiction, which requires registration when offered to retail customers. Uniswap Labs was not registered with the CFTC as a contract market, allegedly making these offerings illegal under the Commodity Exchange Act (CEA).
As part of the settlement, Uniswap Labs agreed to pay a $175,000 fine and cease violating the CEA. The CFTC also acknowledged that Uniswap cooperated with the investigation, which resulted in a reduced penalty. |
CFTC Sues Four Unregulated Trading Platform Offering Forex and Crypto Binary Options (link)
|
The US Commodity Futures Trading Commission (CFTC) filed administrative complaints against four trading platforms operating as unregistered Futures Commission Merchants (FCMs). According to the CFTC, the four platforms – Cryptoiminerstrade.com, Expert Stocks Zone, FalconForexBot, and Swiftminingexpert.com – solicited public funds for trading binary options based on foreign currencies and crypto assets without CFTC registration. The commission alleged that platforms misleadingly claimed to be “leading platforms in the US” and regulated by the CFTC. The complaints were issued despite dissenting opinions from two CFTC Commissioners, which criticized the CFTC for bringing administrative proceedings instead of in a federal court. |
eToro Agreed to Restrict Majority of Tokens Following SEC Settlement (link)
|
The SEC announced it reached a settlement with trading platform eToro USA LLC on 12 September 2024, resulting in the platform agreeing to pay a $1.5 million fine. The settlement included charges that eToro facilitated the trading by US customers of crypto assets deemed securities by the SEC, without allegedly complying with federal securities registration laws.
As part of the settlement, eToro agreed to significantly restrict its cryptocurrency offerings for US customers. Following the case, eToro announced that only Bitcoin, Bitcoin Cash, and Ethereum will remain available for trading on its US platform. Customers have a 180-day window to sell any other crypto assets currently held on the platform, after which these assets will be liquidated, and proceeds returned to the customers’ accounts. |
18 Individuals and Entities Charged in Wash-Trading and Price Manipulation in the Cryptocurrency Markets (link)
|
In October 2024, the US Department of Justice (DOJ) charged 18 individuals and entities in the first-ever criminal case against financial services firms for market manipulation and “wash trading” in the cryptocurrency industry. This international operation focused on schemes where market makers artificially inflated the trading volumes of crypto tokens to deceive investors. By making it seem like these tokens were more actively traded and valuable than they really were, the defendants manipulated prices, leading to financial gains for themselves at the expense of other investors.
Among the key players were firms like Gotbit, ZM Quant, CLS Global, and MyTrade, which offered “market manipulation-as-a-service”. These firms used tactics like wash trading – where tokens are traded back and forth between accounts they controlled — to create the illusion of high trading activity. This tactic is illegal in traditional financial markets and was used here to inflate token prices, leading to so-called “pump and dump” schemes. The DOJ announced that over $25 million in assets were seized in the crackdown, and several defendants, including Gotbit executives, have pleaded guilty or agreed to plead guilty. Some individuals were arrested outside the United States and facing extradition. The DOJ’s investigation was bolstered by cooperation from the FBI, IRS, and international law enforcement. |
SEC Charges Crypto Liquidity Provider Cumberland DRW for Operating as an Unregistered Dealer (link)
|
On 10 October 2024, the SEC charged Chicago-based Cumberland DRW LLC, a prominent crypto market maker, for operating as an unregistered dealer in crypto assets. According to the SEC’s complaint, since at least March 2018, Cumberland engaged in more than $2 billion worth of crypto transactions, which the SEC classifies as securities. According to the SEC, Cumberland’s activities violated federal securities laws that require dealers to register with the Commission to ensure investor protections. The SEC’s lawsuit seeks to impose penalties, including disgorgement of profits, injunctive relief, and civil penalties.
Cumberland conducted these transactions through its proprietary trading platform and other exchanges, marketing itself as a key liquidity provider in the crypto space. The complaint further alleges that Cumberland is engaging in trading crypto assets that are offered and sold as investment contracts on third-party crypto asset exchanges as part of its regular business. Cumberland issued a defiant statement on its X account, criticizing the SEC’s approach as stifling innovation and asserting that it had engaged in good-faith discussions with the SEC for five years regarding the classification of its transactions. Cumberland claims the SEC’s complaint is the first instance where specific transactions were outlined. They noted having acquired a registered broker-dealer in 2019 but were allegedly informed by the SEC that it could only facilitate trades in Bitcoin (BTC) or Ethereum (ETH), which Cumberland argues are commodities outside the SEC’s jurisdiction. Cumberland emphasized it would not alter its business operations or the assets it trades, expressing confidence in its compliance framework. |
Court: Touting Tokens in the US is subject to SEC Supervision (link)
|
The SEC won a partial victory in a case against blockchain company Opporty and its founder, Sergey Grybniak, which in 2020 raised approximately $600,000 from nearly 200 investors in a public sale of Opporty’s “OPP Tokens.” Defendants argued that the token sale did not need a registration statement because it had been carried under Reg D and Reg S exemptions — and purchasers were either accredited investors or the sales occurred outside the US. In a September 2024 memorandum, the Eastern District Court of New York ruled that defendants failed to meet the exemption requirements of Regulation S, since they undisputedly engaged in ‘directed selling efforts’ in the US. The court cited the fact that Grybniak touted the ICO at digital asset conferences in the United States, including in San Francisco and Miami, and paid advisors located in the US to promote the OPP Tokens. The judge found that Grybniak made a reasonable defense in arguing against the SEC’s Section 5 claim, saying the SEC’s guidance on crypto offerings had been “so vague and arbitrary that investors have not had a sufficiently definite warning about how the Howey test might apply.” Still, the judge agreed with the SEC in finding that Grybniak and Opporty failed to meet the exemption requirements of Regulation S. The court also asserted that the offering was not protected by Reg D exemption, since Opporty made no attempt to verify whether the non-US purchasers qualified as accredited investors. |
SEC Wins 2017 ICO Case against a $18M Sale of RvT Tokens (link)
|
On 30 September 2024, a summary judgment was issued by the Massachusetts federal court in favor of the SEC in its lawsuit against Rivetz Corp and its CEO, Steven Sprague. The case, which originated from a complaint filed by the SEC in September 2021, centered on an Initial Coin Offering (ICO) of Rivetz (RvT) tokens conducted between July and September 2017. This ICO raised approximately $18 million from over 7,200 investors, with about one-third of them located in the United States.
In its summary judgment, the court ruled that the RvT tokens were indeed securities under the Howey test, rejecting defendants’ argument that they were merely software products. The judge asserted that Rivetz encouraged potential purchasers to view the purchase of RvT tokens as an opportunity to invest in the security solution that Rivetz was developing and reap a financial reward as Rivetz’s technology increased demand for RvT tokens, thus meeting the Howey test second and third prong. Although the RvT tokens were functional as ERC-20 tokens on the Ethereum blockchain, the judge noted they had no inherent value at the time of the ICO because Rivetz had not yet developed the promised security ecosystem. Importantly, the ruling established that investors expected profits from Rivetz’s entrepreneurial efforts, Meeting a crucial criterion of the Howey test fourth prong. The court also considered the marketing materials used during the ICO, which emphasized the potential for profit and the company’s plans to increase the tokens’ value through its business efforts. Sprague, who represented himself in the case, did not dispute the key facts presented, which likely contributed to the SEC’s favorable outcome. As a result of this ruling, the SEC was instructed to work with Sprague to submit a proposal for injunctive and monetary relief, potentially including disgorgement of ill-gotten gains and civil penalties. |
European Union
German Agencies Shut Down 47 Crypto Exchanges for AML/CTF Failures (link)
|
Law enforcement authorities in Germany have shut down dozens of exchange services that were being used to facilitate cybercrime and money laundering activities. The Frankfurt am Main Public Prosecutor’s Office – Central Office for Combating Cybercrime (ZIT) and the Federal Criminal Police Office (BKA) announced that they have successfully dismantled and seized the servers of 47 unregulated crypto-to-fiat and crypto-to-crypto exchanges operating in Germany. According to enforcement officers, operators of these exchanges failed to comply with “Know Your Customer” (KYC) requirements, allowing users to anonymously facilitate payments without any registration or identity verification. The lack of screening controls by the exchanges enabled users to obscure the origins of illegal funds, which was derived from ransomware, darknet, and botnet activities. |
United Arab Emirates
UAE to Streamline Provision of Dubai Crypto Service Providers (link)
|
Financial regulators of the United Arab Emirates and the Emirate of Dubai have signed a cooperation agreement to enhance the position of the UAE as a leading global hub for crypto assets. Under the agreement, the UAE’s Securities and Commodities Authority (SCA) and Dubai’s Virtual Assets Regulatory Authority (VARA) will establish rules and procedures for licensing and supervising virtual asset service providers (VASPs) and related activities. The agreement was aimed to tackle the UAE’s virtual asset fragmented regulations, consisting of significant overlap between federal and Emirate jurisdictions over virtual assets activities.
Under the new agreement, VASPs operating in or from Dubai or wishing to service the emirate of Dubai will need to obtain a license from VARA. Once licensed by VARA, licensees can be registered by default with the SCA to service the wider UAE. In contrast, VASPs wishing to operate out of any other Emirate, must be licensed by the SCA to do so. The agreement also covers the mechanism for mutual supervision of VASPs, penalty and fine imposition, the exchange of information and statistics, as well as cooperation in employee training and qualification. |
Dubai’s VARA Updates Marketing Regs and Launches New Guidance for VASPs (link 1, link 2) | Dubai’s Virtual Assets Regulatory Authority (VARA) has issued new regulations and guidance concerning marketing of virtual assets and related activities, which entered into force on 1 October 2024. The marketing regulations apply to all advertisement, invitation, inducement, solicitation, offer or promotion of or relating to virtual assets and activities “in or targeting the UAE”. The requirements apply both to UAE or foreign entities, irrespective of whether they are authorized or licensed by VARA. Among others, the regulations also apply to platforms and channels, including traditional and digital broadcasters, publishers, search engines, social media and other internet platforms. Among others, the regulatoins set requirements in relation to crypto events and marketing campaigns in Dubai. |
UAE Exempts Crypto Transactions from VAT (link)
|
The United Arab Emirates has exempted crypto transactions from value-added tax (VAT), aligning the industry with traditional financial services. This change, effective November 15, applies retroactively to transactions dating back to 1 January 2018. The Federal Tax Authority’s update, first released in Arabic on October 2, 2024, and translated to English on October 4, clarifies that the 5% VAT tax shall not apply to the transfer of ownership of virtual assets. |
Australia
ASIC Introduces New Reporting Requirements for CFD Brokers (link) | The Australian Securities and Investments Commission (ASIC) has introduced new reporting regulations for brokers of derivative products, effective 21 October 2024. These changes include expanded requirements for reporting collateral, the use of Unique Transaction Identifiers (UTIs) and Unique Product Identifiers (UPIs), and a shift to standardized XML reporting formats. These updates aim to align with international standards and enhance transparency in the market. A second phase, set for October 2025, will bring further adjustments to the reporting framework. |
Payments
United Kingdom
APP Fraud Prevention Regime for Banks and Payment Service Providers (link) | The Financial Conduct Authority (FCA) published two Dear CEO letters, sent to banks and building societies and to payment and e-money institutions, in which it sets out its expectations on the new authorised push payments (APP) fraud reimbursement regime. The Payment Systems Regulator’s (PSR) reimbursement requirement for APP fraud carried out through the Faster Payments System and CHAPS came into force on 7 October 2024 (the date of the Dear CEO letters).
The letter emphasizes the need for firms participating in Faster Payments (FPS) and CHAPS to reimburse customers swiftly when they fall victim to APP fraud, in line with new regulations under the Payment Systems Regulator (PSR). Additionally, the letter stresses that institutions must maintain adequate resources to meet these obligations and take fraud prevention seriously. The letter outlines expectations on how firms should handle the financial and operational impacts of the APP reimbursement scheme, including ensuring proper capital reserves and compliance with consumer protection duties. |
Malta
Maltese Regulator Updated a Rulebook for Financial Institutions Issuing E-Money or Providing Payment Services (link) | Maltese Financial Services Authority (MFSA) has published a revised Chapter 3 of the Financial Institutions Rulebook – FIR/03, which includes rules applicable to financial institutions issuing electronic money or providing payment services, such as ongoing requirements (including safekeeping, reporting, cybersecurity, and prudential requirements) and service-specific requirements for such institutions. The rules also address administrative penalties and other administrative measures and sanctions for non-compliance. The FIR/03 will apply in two stages: the first stage has already become applicable on 15 October 2024, and the second one will become applicable on 15 December 2024.
|
Financial Services
United Kingdom
FCA Targets Online “Finfluencers” for Illegally Touting Financial Services (link) | The UK’s Financial Conduct Authority (FCA) announced it has taken actions against social media influencers who may be promoting financial services illegally. Twenty “finfluencers” were investigated, and 38 social media accounts have been flagged for potentially unlawful promotions. The FCA raised concern over the increasing number of young people who are falling victim to scams, often influenced by finfluencers; and warned finfluencers to be cautious about the products they promote, as illegal promotions can harm their followers’ financial well-being. |
Cyprus
CySEC Implements new Group Capital Test for Investment Firms (link) | The Cyprus Securities and Exchange Commission (CySEC) has mandated that Cyprus Investment Firms (CIFs) to align with the European Banking Authority’s (EBA) guidelines on the group capital test, effective January 1, 2025. A CySEC Circular issued on 22 October 2024 aims to standardize capital requirement calculations for groups of CIFs, ensuring they maintain adequate capital to protect the financial system and clients. CIFs can potentially benefit from lower capital requirements if they meet specific conditions, such as having a simple structure and limited risk profile. However, firms that don’t meet these criteria will need to maintain higher capital levels. To apply for reduced capital requirements, CIFs must submit a detailed application to CySEC, including information on their group structure, activities, and calculated capital requirements. CySEC will assess these applications and may revoke permission if conditions change. |