Samuels v. Lido DAO: a Potential New Frontier for Liability in the Cryptocurrency Space

by Stephen Gannon, James Goldfarb, and Alexandra Coyle

Photos of the authors

Stephen Gannon, James Goldfarb, and Alexandra Coyle (photos courtesy of Davis Wright Tremaine LLP)

In denying motions to dismiss, court potentially expands liability for venture capital firms investing in cryptocurrency enterprises

A recent order handed down by U.S. District Judge Vince Chhabria of the Northern District of California could be a new source of concern for digital asset entrepreneurs and the venture capital firms which invest in and support them. In Samuels v. Lido DAO the court denied the motion to dismiss filed by an entity called Lido DAO (“Lido”) and a group of its institutional investors regarding what was alleged to be a sale of unregistered tokens on an exchange. Lido was and is the operator of a successful “Staking as a Service” business conducted through a decentralized autonomous organization, or a “DAO.” Founded in 2020, Lido provides a service in which it gathers ETH from individual holders, which it then pools and “stakes” to provide validation for transactions on the Ethereum blockchain. It also selects validators and provides an “oracle” to ensure that (i) the validators, (ii) the owners who pooled their ETH, and (iii) Lido itself receive the correct ETH rewards for performing the validation work.[1]

In largely denying defendants’ motions to dismiss, the court’s order potentially greatly expands the liability venture capital firms based in California might face, particularly in the context of investing in cryptocurrency enterprises, and may raise more questions than it answers for parties involved in such disputes.

Continue reading

Virginia Supreme Court Expands Computer Crime Law, Raising Legal Issues for Ethical Hackers

by Harley Geiger and Tanvi Chopra

Photos of the authors

Harley Geiger and Tanvi Chopra (photos courtesy of the authors)

On Nov. 21, 2024, the Virginia Supreme Court issued a pivotal ruling with significant implications for corporate security, ethical hacking, and everyday computer users. The Commonwealth v. Wallace decision greatly expands the scope of Virginia’s computer fraud law, turning any unauthorized use of a computer into a state hacking crime.

The Hacking Policy Council previously warned that overbroad state laws risk conflating security research and ordinary internet activities with malicious cybercrime. While substantial progress on this issue has been made at the federal level, sweeping state statute language and court decisions like Commonwealth v. Wallace demonstrate the need for engagement to focus enforcement of state anti-hacking laws on actual criminal behavior.

In the meantime, state laws continue to be a legal minefield for ethical hackers who test systems to identify vulnerabilities in an effort to improve cybersecurity. Prosecutor discretion and guidelines will be key to focusing broad state computer crime laws on malicious behavior and not good faith security researchers. Continue reading

TD Bank Pleads Guilty to Bank Secrecy Act and Money Laundering Conspiracy Violations – Part II: The Regulatory Agency Resolutions

by Jonathan J. Rusch

photo of author

Photo courtesy of the author

On October 10, the U.S. Department of Justice, the Financial Crimes Enforcement Network (FinCEN), the Office of the Comptroller of the Currency (OCC), and the Federal Reserve Board (FRB) announced an extraordinary set of coordinated criminal and civil resolutions involving TD Bank, N.A. and its parent company TD Bank US Holding Company (collectively TD Bank) for systematic and years-long violations of the Bank Secrecy Act (BSA) and money laundering.  The first post on the TD Bank resolutions addressed only the Department of Justice’s criminal resolution with TD Bank.[1] This post will focus on the bank’s resolutions with the regulatory agencies, and identify certain lessons to be learned from this case.

Continue reading

Sweeping AI Legislation Under Consideration in Virginia

by Beth Waller and Patrick Austin

Photos of authors

Beth Burgin Waller and Patrick J. Austin (photos courtesy of Woods Rogers Vandeventer Black PLC)

Virginia, a leader in technology and privacy related regulations, is methodically examining artificial intelligence legislation.  In particular, significant legislation establishing a regulatory framework for high-risk Artificial Intelligence (AI) systems is currently being considered by the Virginia General Assembly’s Joint Commission on Technology and Science (JCOTS). JCOTs – a permanent legislative agency that studies and develops technology and science related policies in Virginia – has held several hearings on the topic in an effort to hear expertise related to AI issues and has formed an AI specific Subcommittee.  The JCOTS AI Subcommittee is considering two pieces of legislation that would govern the use of high-risk AI systems by public entities and private sector entities.

Continue reading

Fifth Circuit Holds that OFAC May Not Maintain Sanctions on Cryptocurrency Mixer Tornado Cash

by Sharon Cohen Levin, James M. McDonaldEric J. Kadel Jr.Anthony J. LewisJudson O. LittletonAdam J. SzubinShari D. Leventhal, and Berke B. Gursoy

Photos of the authors

Top left to right: Sharon Cohen Levin, James M. McDonald, Eric J. Kadel Jr., and Anthony J. Lewis. Bottom left to right: Judson O. Littleton, Adam J. Szubin, Shari D. Leventhal, and Berke B. Gursoy (photos courtesy of Sullivan & Cromwell)

Court Concludes that Immutable Smart Contracts Are Not “Property” Under Relevant Sanctions Legislation

SUMMARY

In a significant decision issued on November 26, 2024, the U.S. Court of Appeals for the Fifth Circuit held in Van Loon et al. v. Department of the Treasury that the Department of the Treasury’s Office of Foreign Assets Control (“OFAC”) exceeded its statutory authority under the International Emergency Economic Powers Act (“IEEPA”) by sanctioning Tornado Cash, a cryptocurrency mixing service that enables users to conduct anonymized cryptocurrency transactions through the use of immutable smart contracts. The case centered on whether these immutable smart contracts could be considered “property,” as required to be sanctionable under IEEPA. Relying on the Supreme Court’s recent decision in Loper Bright Enterprises v. Raimondo, which overruled the longstanding doctrine of Chevron deference to agency interpretations of statutory text, the Fifth Circuit concluded that immutable smart contracts did not constitute property and were therefore not subject to OFAC’s designation authority under IEEPA.

This ruling has potentially significant implications for OFAC’s efforts to sanction parties involved in decentralized finance (DeFi) and could alter the future enforcement landscape for parties and platforms that provide anonymity-enhancing services to cryptocurrency users.

Continue reading

Federal Court Suspends Enforcement of Corporate Transparency Act Nationwide

by Matthew Bisanz, Brad A. Resnikoff, and Kelly F. Truesdale

Photos of the authors

Matthew Bisanz, Brad A. Resnikoff, and Kelly F. Truesdale (Photos courtesy of Mayer Brown)

On December 3, 2024, the US District Court for the Eastern District of Texas entered a preliminary injunction suspending enforcement of the Corporate Transparency Act (CTA) and its implementing regulations nationwide, concluding that the CTA is likely unconstitutional as it is outside Congress’s power.[1] Although not the first court to reach such a conclusion, the breadth of the relief provided by the court—applying nationwide, rather than to the specific plaintiffs—reflects a significant development, given the rapidly approaching compliance deadlines for many existing companies under the CTA.

The Texas court’s decision has immediate implications for the 32 million reporting companies facing a year-end deadline to report beneficial ownership information to the government, particularly as reporting in early December indicated that only about 30% of the estimated total filings had been received.[2] While the Texas court’s decision effectively suspends the compliance deadline—as the Financial Crimes Enforcement Network (FinCEN) has confirmed—during the pendency of the injunction, the Government has already appealed the decision to the Fifth Circuit and is currently seeking to stay the effect of the preliminary injunction.

Continue reading

“Operation Chokepoint 2.0”: De-Banking Policies and the Adverse Use of Reputational Risk in Bank Supervision

by Stephen T. Gannon, Max Bonici, Elizabeth Lan Davis, and Kristal Rovira

Photos of the authors

Left to Right: Stephen T. Gannon, Max Bonici, Elizabeth Lan Davis, and Kristal Rovira (photos courtesy of Davis Wright Tremaine LLP)

How subjective supervisory standards suppressed innovation and damaged innovators.

“The power to regulate—in addition to the power to tax—is the power to destroy.”

Peter Wallison, Judicial Fortitude (2018)

As we have previously noted, we expect that the second Trump Administration will be significantly more favorable to crypto than the Biden Administration, especially with the recent appointment of David Sacks as the Administration’s “Crypto Czar.” We anticipate that in short order the new Administration will address “de-banking,” a regulatory practice that has vexed the digital asset industry—and banking in general—over the last several years. In this context, “de-banking” means canceling banking services to crypto entities and individuals associated with them or crypto activities. It is a practice that has been sharply criticized and has become even less comprehensible as the digital asset industry has matured and embraced (indeed, has sought) reasonable regulation. In the last several days the attention paid to this issue has increased sharply as a result of comments by Marc Andreessen on the Joe Rogan podcast.

Regrettably, the de-banking problem is not new. De-banking crypto is simply the latest variation of regulators using vague and amorphous standards to supervise bank conduct through the subjective lens of what the federal banking agencies call “reputational risk.”

Below we discuss how we got here and some ways forward.

Continue reading

CPPA Proposed Rulemaking Package Part 1 – Cybersecurity Audits

by Avi Gesser, Matt Kelly, Johanna N. Skrzypczyk, H. Jacqueline Brehmer, Ned Terrace, Mengyi Xu, and Amer Mneimneh

Photos of the authors

Top: Avi Gesser, Matt Kelly, and Johanna N. Skrzypczyk,. Bottom: H. Jacqueline Brehmer, Ned Terrace, and Mengyi Xu. (Photos courtesy of Debevoise & Plimpton LLP)

Key Takeaways

  • On November 22, 2024, the California Privacy Protection Agency (CPPA) launched a formal public comment period on its draft regulations addressing annual cybersecurity audits and other privacy obligations under the California Consumer Privacy Act (CCPA).
  • These proposed rules aim to establish robust standards for thorough and independent cybersecurity audits, delineating both procedural and substantive requirements for businesses processing personal information.
  • In this update, we provide an overview of the new cybersecurity audit provisions, including key thresholds for applicability, detailed audit expectations, and the evolving regulatory landscape shaping cybersecurity compliance.

Continue reading

TD Bank Pleads Guilty to Bank Secrecy Act and Money Laundering Conspiracy Violations and Agrees to Pay More Than $3.09 Billion in Criminal and Civil Penalties for “Systemic Breakdown” in Compliance Policies, Procedures, and Processes

by Jonathan J. Rusch

photo of author

Photo courtesy of the author

In any corporate compliance program, chief compliance officers must be mindful that their programs are not guaranteed to maintain consistent levels of funding from year to year.  Factors such as expanding or contracting business operations, declining business conditions, or external events such as recessions or COVID may require various year-to-year adjustments in a compliance program’s staffing levels and internal controls operations.[1]

Even so, it is essential that senior management in any company or financial institution recognize and accept the fact that at all times, the compliance programs in their enterprise must be adequately resourced and empowered to function effectively.[2] What a company’s senior leadership may not do, under any circumstances, is to make decisions that, over time, systematically starve critical compliance programs of resources essential to the effectiveness of those programs.

Continue reading