Bitfinex Didn't Fight The CFTC Regulations, Which Catalyzed A Security Breach
Bitfinex suspended trading yesterday due to a breach in their security.
This breach, caused by a hack, resulted in the theft of 119,756 BTC. No fiat currency was stolen. The Commodity Futures Trading Commission (CFTC) fined Bitfinex $75,000 this past June and ordered that the exchange change its practices and comply with the Commodity Exchange Act and regulations. Bitfinex paid the fine and complied with CFTC by changing its practices. Some are speculating that the actions taken by Bitfinex in complying with the CFTC directly correlate to this security breach.
The details of this hacking incident are limited and Bitfinex declined to release additional information since there is an ongoing investigation. However, based on the information that is available it is likely that the CFTC regulations may have catalyzed the occurrence of this security breach. The CFTC is not solely to blame for this security breach. Bitfinex is also responsible because they failed to exercise procedural options available to them which could have prevented this incident from occurring.
On September 17, 2015, the CFTC ruled that bitcoin and other virtual currencies are encompassed in the definition of, and properly defined as, commodities. Title VII of the Dodd-Frank Wall Street Reform and Consumer Protection Act of 2010, Public Law 111-203, 124 Stat. 1376 (2010) amended the Commodity Exchange Act to add, among other things, new authority over certain leveraged, margined, or financed retail commodity transactions. Therefore, the CFTC has jurisdiction over certain leveraged, margined, or financed retail commodity transactions involving bitcoin and other virtual currencies.
On June 2, 2016, the CFTC issued an Order filing and simultaneously settling charges against Bitfinex. The Order found that from April 2013 to at least February 2016, Bitfinex permitted users to borrow funds from other users on the platform in order to trade bitcoin on a leveraged, margined, or financed basis which constitutes a futures contract. The Order also found that Bitfinex did not actually deliver those bitcoins to the traders who purchased them rather Bitfinex held the bitcoins in deposit wallets that it owned and controlled which triggers compliance of CFTC regulations pursuant to the Commodity Exchange Act (the Act).
Actual delivery denotes the act of giving real and immediate possession to the buyer or the buyer’s agent. U.S. Commodity Futures Trading Comm'n v. Hunter Wise Commodities, LLC, 749 F.3d 967, 978-9 (11th Cir. 2014). Electronic transfer of documents indicating control or possession without physical transfer of the commodity does not constitute actual delivery. Id. If actual delivery is made, then the CFTC does not have jurisdiction. This actual delivery rule is an exception to CFTC jurisdiction.
The CFTC found that Bitfinex did not meet this definition of actual delivery because Bitfinex placed customers’ bitcoins in a cold storage wallet where Bitfinex, not the buyer, had actual control and possession. Cold storage in the context of bitcoin refers to keeping a reserve of bitcoins offline. Therefore in order to comply with the CFTC, Bitfinex either had to register with the CFTC or provide buyers with the actual delivery of their bitcoins.
Bitfinex paid the CFTC a fine and agreed to, among other things, cease and desist from their cold storage practices even though cold storage is known as the most secure method of storing bitcoin and other virtual currencies. Bitfinex replaced their cold storage for bitcoin with segregated customer wallets so that each user has their own bitcoin wallet. Bitfinex was able to do so by implementing Bitgo onto their platform. The hacking incident allegedly was a result of this change in practice.
Subsequently, on August 2, 2016, Bitfinex discovered a security breach and halted all trading, deposits and withdrawals. This security breach is still not resolved and Bitfinex claims that this breach was not internal. The stolen bitcoins were not insured and Bitfinex stated, “Although this incident is unfortunate, its scale is small and will be fully absorbed by the company.” Bitfinex seems to be taking the blame but the CFTC has equal if not greater blame in this incident as well.
The CFTC addressed a problem with Bitfinex but the solution turned out to be more disastrous and harmful than the problem itself. The CFTC intended to protect consumers to prevent fraud with the exchanges. However, the results contradicted what was originally intended. Consumers were not protected; rather they were exposed to massive risk. The CFTC failed to take into consideration the unique form and characteristics of bitcoin and virtual currency. Replacing the cold storage method exposed consumers to the risk of a security breach. Hackers can only compromise funds if stored online. Cold storage is a security measure that prevents theft from hackers. There should have been a compromise here possibly in the form of amending the actual delivery exception specifically for bitcoin and other virtual currencies. Doing so likely could have prevented this theft from occurring.
Bitfinex is also to blame because they did not perform their due diligence. Instead of immediately giving the CFTC an offer for settlement Bitfinex could have made a request for an administrative hearing and argued for their cold storage practices while keeping within the actual delivery exception. Although this method would have taken more time, effort and resources, it would pale in comparison to the $67 million loss caused by the hack.
Going forward, exchanges should keep in mind that they have the ability to challenge the law and regulatory action, and advocate their positions in court. Although tedious and laborious the results could be very beneficial and could avoid disasters like this from occurring in the future.