Digital Assets Defined: Consumer Protection And Cybersecurity Enter The Stage – Dodd-Frank, Consumer Protection Act

In this latest White Paper on our Bill analysis, we underscore headline
proposals in the Lummis-Gillibrand Responsible Financial Innovation
Act (the "Bill") regarding consumer protection standards
(Title V) and cybersecurity standards (Title VIII, Section 808). As
for consumer protection standards, the Bill lays out the notices
and disclosures that digital asset service providers must give
customers, and the subjects that customer agreements must address.
The Bill also covers rules for managing the accrual of gains to
digital assets, the implementation of source code changes to
digital assets, the enforcement of the standards laid out in the
title, and customers' rights to individual management of their
digital assets. As for cybersecurity standards, the Bill requires
the Commodity Futures Trading Commission ("CFTC") and the
Securities and Exchange Commission ("SEC") to develop
guidance related to cybersecurity for digital asset intermediaries
(as described in our previous White Paper).

We conclude this White Paper by highlighting important
unresolved questions that should be the focus of future stakeholder
efforts to refine the Bill before it-or aspects of it- becomes
law.

CONSUMER PROTECTION STANDARDS FOR DIGITAL ASSETS

Scope of Permissible Transactions

A digital asset service provider, defined in the Bill as set
forth below, must ensure that the scope of permissible transactions
that it may undertake with its customers' digital assets is
clearly disclosed in a customer agreement. Unlike other
requirements for digital asset service providers in Title V, this
requirement applies to both "persons" and
"protocols" providing digital asset services. Under the
Bill, a "person who provides digital asset services"
includes: (i) a digital asset intermediary; (ii) a financial
institution as defined in section 1a of the Commodity Exchange Act;
and (iii) any other person conducting digital asset activities
pursuant to a federal or state charter, license, registration, or
other similar authorization, or a person who is required by law to
hold such a license, registration, or other similar authorization.
The Bill does not define "protocol," but based on the
Bill's other references to protocols, it likely means
decentralized applications such as decentralized finance
("DeFi") protocols.

Required Notices to Customers

A digital asset service provider must give clear notice to each
customer, and obtain the customer's acknowledgement, of any
"material"¹ changes to the source code version
of a digital asset involved in the parties' contractual
relationship.² Under the Bill, "source code
version" means the source code version comprising a digital
asset, and does not include the software used to manage or
facilitate transactions in a digital asset. The provider must
generally give the required notice and obtain the required
acknowledgement before the provider implements any material source
code change. Notice and acknowledgement are not required in
emergencies, however, such as when security vulnerabilities exist
that require immediate changes to a source code version. It is
unclear as to whether, in an emergency, notice and acknowledgement
would be required after a source code version change is
implemented. However, as laid out elsewhere in the Bill (see
"Source Code Version of Digital Assets," below), a
provider may specify that different standards for implementing
source code version changes apply in emergencies, which could
include giving notice and obtaining acknowledgement after a source
code change is implemented.

In addition, a digital asset service provider must provide clear
notice to each customer, and require the customer's
acknowledgement, of the following:

• Whether the customer's digital assets are segregated from
  other customers' assets, and the manner of segregation.
• How the customer's assets would be treated in a bankruptcy
  or insolvency scenario, and the risks of loss (note that Title IV,
  Section 407 of the Bill, which will be discussed in a future Jones
  Day White Paper, enacts new requirements related to the
  bankruptcy treatment of digital assets).
• The time period and the manner in which the provider must
  return the customer's digital assets to the customer upon the
  customer's request.
• Any fees that apply to the contractual relationship between the
  provider and the customer (such fees could include transaction
  fees, or a monthly fee for custodying digital assets).
• The provider's dispute resolution process for any disputes
  that arise between the provider and the customer.

Subsidiary Proceeds

Except as otherwise specified in a customer agreement, all
"ancillary or subsidiary proceeds" related to digital
asset services provided by a digital asset service provider accrue
to the customer's benefit. "Subsidiary proceeds" are
defined to include proceeds arising from forks,³
airdrops,⁴ staking,⁵ and other gains that
accrue to a digital asset through market transactions, use as a
financial asset, or being held in custody or safekeeping by a
digital asset service provider. The use of "ancillary"
appears to be redundant here, since there is no separate definition
for "ancillary proceeds," and "ancillary" and
"subsidiary" are related concepts. A digital asset
service provider may elect not to collect certain subsidiary
proceeds, if the election is disclosed in a customer agreement.

Assuming a digital asset service provider elects to collect
subsidiary proceeds, a customer may withdraw its digital assets
from the provider in a method that permits the collection of
subsidiary proceeds. Further, if a customer desires, a digital
asset service provider must enter into a customer agreement
regarding the manner in which to invest subsidiary proceeds or
other gains attributable to the customer's digital assets.

As used here in connection with "subsidiary proceeds,"
an "agreement" includes the digital asset service
provider's standard terms of service. Thus, to the extent these
standards on subsidiary proceeds require something to be disclosed
in or agreed to through a customer agreement, it may be disclosed
in or agreed to through the provider's standard terms of
service.

Lending Arrangements

Digital asset service providers must ensure that any lending
arrangements they have with customers related to digital assets are
clearly disclosed to customers before any lending services take
place, and that their customers consent to such arrangements.

Providers must also ensure that any lending arrangements with
customers are accompanied by a wide variety of disclosures.
Specifically, such arrangements must be accompanied by:

• Full disclosures of applicable terms (such as the loan's
  repayment period, monthly payments, and interest rate) and risk,
  yield, and the manner in which the yield is calculated.
• "Appropriate disclosures" related to collateral
  requirements and policies, including: (i) haircuts and
  overcollateralization;⁶ (ii) collateral the provider
  accepts when calling for additional collateral from a customer,
  including collateral substitution; (iii) whether customer
  collateral is comingled with other customers' collateral or the
  provider's collateral; and (iv) how customer collateral is
  invested, and whether the yield belongs to the customer or the
  provider. The term "appropriate disclosures" is not
  defined here.
• Disclosures of mark-to-market and monitoring
  arrangements,⁷ including: (i) the frequency of
  mark-to-market monitoring and how frequently the provider will call
  for additional collateral from a customer; (ii) the time period in
  which the customer must supply additional collateral to the
  provider after a collateral call; and (iii) whether the provider
  permits failures to deliver additional collateral, and if so, the
  period of time in which a customer must cure the failure before the
  customer's position is closed.

Further, providers must ensure that lending arrangements with
customers are "fully enforceable as a matter of commercial
law" and compliant with all applicable federal and state laws.
In general, for a contract to be legally enforceable, there must be
an offer, an acceptance, consideration, capacity to contract, and
legality of purpose. Certain laws apply to lending arrangements in
particular, including the Equal Credit Opportunity Act, which
prohibits lenders from discriminating against borrowers on the
basis of any protected class; the Truth in Lending Act, which
requires lenders to disclose loan cost information to borrowers;
and state usury laws, which prohibit lenders from charging
unreasonable or predatory interest rates. Requiring providers to
ensure that their lending arrangements with customers are
"fully enforceable as a matter of commercial law" and
compliant with federal and state lending laws could have a profound
impact on DeFi protocols and decentralized autonomous organizations
("DAOs"), many of which employ smart contracts to
effectuate loan transactions. Questions regarding the
enforceability of the "agreements" underlying smart
contracts-such as what source code controls and who the contracting
parties are-have circulated for years without clear answers.
Because it does not address these questions directly, the Bill, as
written, would require DeFi protocols and DAOs to continue to
answer these questions for themselves, and to incorporate the
requirements of contract law in general, and lending laws in
particular, into the smart contracts and related documents used for
loan transactions.

Rehypothecation

Before a rehypothecating a customer's digital asset-that is,
before pledging to a third party as collateral for a financial
transaction a digital asset that a customer has pledged to the
provider as collateral for a loan-a digital asset service provider
must clearly disclose its polices on rehypothecation to customers,
including a clear definition of "rehypothecation" that is
accessible to consumers. The terms "clearly disclose,"
"clear definition," and "accessible" are not
defined here. A provider must also obtain affirmative consent from
a customer to rehypothecate that customer's digital asset.

In addition, when deciding to rehypothecate a customer's
digital asset, a provider must consider the following factors to
appropriately mitigate risk relating to rehypothecation:

• The liquidity and volatility of the digital asset.
• Past failures to deliver the digital asset.
• The concentration risk of the digital asset.⁸
• Whether an issuer or lender of last resort relating to the
  digital asset exists, including for virtual currency with a finite
  supply.⁹
• The provider's capital, leverage, and market position.
• The provider's legal obligations to customers and other
  digital asset service providers.

Source Code Version of Digital Assets

At the beginning of their contractual relationship, a digital
asset service provider and its customer must agree in writing on
what source code version will apply to each digital asset involved
in that relationship, including for purposes of legal treatment.
This agreement must include the treatment of each digital asset
under securities laws and commodities laws, as well as under the
Uniform Commercial Code ("UCC") applicable to the
transaction.

A digital asset service provider may periodically implement a
digital asset source code version that uses validation rules
different from those of the source code version specified in the
customer agreement. The term "validation rules" is not
defined, but most likely refers to block-level validation rules (or
"consensus rules"), which define what is permitted to be
included in a block on a blockchain and require nonconforming
transactions to be rejected from the chain.

A provider may implement a digital asset source code version
with different validation rules even when it is not possible to
predict in advance whether using the different source code will be
in the "best interests" of the customer. However, this
discretion leaves open the possibility that providers must consider
how a source code change will affect customers' best interests
if it is possible to do so. The "best interests" of the
customer are not defined; what is in a customer's "best
interests" could range from ensuring the maximum possible
value of a digital asset, to ensuring the maximum possible
liquidity of the digital asset, to ensuring that the digital asset
can be used in future transactions.

A digital asset service provider must consider the nature of any
proposed changes to the source code versions of a digital asset.
Specifically, the provider must consider whether any proposed
changes by third-party actors-such as within a DAO-could create
different source code versions resulting in new networks that could
create "economic value" for customers. The term
"economic value" is not pegged to any particular standard
here; perhaps it could be determined by the digital asset's
price in the securities or commodities markets, or by the
asset's liquidity and risk.

Although a digital asset service provider is allowed to
implement a digital asset source code version that uses different
validation rules, it is not required to support digital assets and
source code versions that it has not agreed with customers to
support. This issue may arise if customers are expecting or
pressing a provider to change the source code version of a digital
asset. At the same time, a digital asset service provider must not
"capriciously" redefine a digital asset or corresponding
source code or alter customer agreements as they relate to digital
asset source codes. The term "capriciously" is not
defined here.

A digital asset service provider must adopt and maintain
standards for implementing digital asset source code versions with
different validation rules from those of the source code version
specified in a customer agreement. These standards must include
customer notice and approval "as appropriate based on the
circumstances"; this rule is not explained, and will likely be
based on a fact-intensive inquiry and subject to court
interpretation. Providers may specify that different standards for
implementing source code version changes apply in emergencies, such
as when security vulnerabilities exist that require immediate
changes to a source code version.

Settlement Finality

Digital asset service providers and their customers must agree
on the terms of settlement finality for all transactions between
them. That agreement must address the conditions under which a
digital asset may be deemed fully transferred as a matter of law.
These legal conditions may be different from the operational
conditions under which digital assets are considered transferred
based on the distributed and probabilistic nature of digital
assets. Therefore, digital asset service providers and their
customers can choose to consider a digital asset as fully
transferred as a matter of law, even if different from when it
would be considered fully transferred in operation.

The agreement between provider and customer on settlement
finality terms must also address the exact moment of transfer of a
digital asset, the discharge of any obligations upon transfer of a
digital asset, and conformity to applicable provisions of the UCC.
Provisions of the UCC that relate to settlement finality include
Article 2, Parts 3-5 (transfer obligations related to contracts for
the sale of goods); Article 4, Part 2 (transfer obligations related
to bank deposits and collections); Article 4A, Parts 2-4 (transfer
obligations related to funds transfers between banks); Article 8,
Part 3 (transfer obligations related to investment securities); and
Article 9, Part 2 (attachment obligations related to secured
transactions).

Standards of Customer Notice and Enforcement of Consumer
Protection Standards

When providing disclosures and carrying out other duties under
31 U.S.C. Subtitle VI, Chapter 98 (a new chapter created by the
Bill), a person who provides digital asset services in or affecting
interstate commerce must provide "higher" standards of
customer notice and acknowledgement if there is likely to be a
"material" impact on the "economic value" of a
customer's digital asset. Again, the terms "higher"
and "material" are not defined here. And, again, the term
"economic value" is not pegged to any particular
standard.

The Bill also instructs that the "standards" under 31
U.S.C. Subtitle VI, Chapter 98 shall be enforced "in an
appropriate manner," commensurate with other consumer
protection standards. Given the reference to "other consumer
protection standards," the term "standards" most
likely refers to the "consumer protection standards" laid
out in Title V of the Bill. "[A]n appropriate manner"
will most likely depend on how authorities would enforce consumer
protection standards in other contexts. "Commensurate
with" also indicates that enforcing authorities must not treat
the consumer protection standards applicable to digital assets any
differently from the consumer protection standards applicable to
other types of goods or services.

The consumer protection standards under Title V applicable to
digital asset intermediaries will be enforced by the federal or
state licensing, registration, or chartering authority of the
intermediary, while the standards applicable to depository
institutions or other financial institutions will be enforced by
the appropriate federal or state banking supervisor.

Right to Individual Management of Digital Assets

"[E]xcept as otherwise required by law," no person is
required to use an intermediary for the safekeeping of digital
assets that the person legally owns and either possesses or
controls. An example of a law that requires a person to use an
intermediary for the safekeeping of assets that the person legally
owns and either possesses or controls is 17 CFR § 227.100,
which requires a securities issuer to use an intermediary when
relying on the crowdfunding exemption to securities registration
requirements.

The Bill states it should not be interpreted as allowing a
person to engage in market activity for which authorization is
required under federal or state law. In other words, the fact that
a person is not required to use an intermediary to safekeep that
person's digital assets does not mean that person can use those
digital assets for a market activity without being authorized to do
so, if such authorization is required by federal or state law.

The Bill also states that it should not be interpreted as
preventing a person from freely entering into an agreement for
digital asset services with a third party. In other words, the fact
that a person is not required to use an intermediary to safekeep
that person's digital assets does not mean that person is
prohibited from making an agreement to do so if desired.

Undefined Terms

As evident from the above discussion, the Bill's proposals
related to consumer protection standards leave several crucial
terms undefined. The meanings ultimately assigned to these
undefined terms will likely be based on fact-intensive inquiries
and subject to interpretation by courts and by a number of federal
and state agencies. Some terms-such as "material" and
"best interests"-may be interpreted consistently with
their meanings in other contexts, such as whether there has been a
misrepresentation or omission of "material" information
to investors in the securities fraud context, and whether a
broker-dealer's recommendation of a securities transaction or
investment strategy involving securities is in the "best
interests" of a retail customer. Other terms have no
corollaries to reference, and will present issues of first
impression.

It is also likely that some or all of the federal and state
regulators responsible for enforcing the Bill's consumer
protection standards (see "Standards of Customer Notice and
Enforcement of Consumer Protection Standards," above) will
promulgate rules or guidance interpreting these undefined terms in
the future. Indeed, Title VIII of the Bill expressly contemplates
that the CFTC and the SEC, among other federal financial
regulators, will issue "individualized interpretative
guidance" on the application of statutes, rules, or policies
under their jurisdiction.

CYBERSECURITY STANDARDS FOR DIGITAL ASSET INTERMEDIARIES

On the topic of cybersecurity, the Bill requires the CFTC and
the SEC, in consultation with the Secretary of the Treasury and the
Director of the National Institute of Standards and Technology, to
"develop comprehensive, principles-based guidance relating to
cybersecurity" for digital asset intermediaries. This guidance
must account for:

• The internal governance and organizational culture of the
  digital asset intermediary's cybersecurity program;
• The security operations of the digital asset intermediary,
  including threat identification, incident response, and
  mitigation;
• Any risk identification and measurement by the digital asset
  intermediary;
• The mitigation of risk by the digital asset intermediary,
  including policies of the digital asset intermediary, controls
  implemented by the digital asset intermediary, change management
  with respect to the digital asset intermediary, and the
  supply-chain integrity of the digital asset intermediary;
• Any assurance provided by, and testing conducted by, the
  digital asset intermediary, including penetration testing and
  independent audits so conducted; and
• The potential for digital asset intermediaries to be used to
  facilitate illicit activities including sanctions avoidance.

This guidance must be "developed," according to the
Bill, no later than 18 months after the Bill is enacted.

CLOSING THOUGHTS

All told, the Bill sets out a thorough framework for regulating-
or developing rules for regulating-important consumer protection
and cybersecurity issues in the digital assets space. These include
foundational matters such as customer notices, subsidiary proceeds,
lending arrangements, and source code controls. At the same time,
the Bill relies on key terms and concepts that it does not define,
such as "material" changes to source code,
"higher" standards of customer notice and
acknowledgement, and "best interests" of the customer, to
name just a few. Thus, in order for the proposed framework to be
implemented in a manner that provides clarity for market
participants, the Bill will have to become more specific, or
agencies and courts may be left to fill in the blanks.

Footnotes

1. The Bill does not define the term
"material."

2. "Source code" refers to a set of
instructions, written in programming language, directing a computer
program how to function.

3. "Forks" are changes to a blockchain's
protocol that cause the chain to split and produce an additional
chain.

4. An "airdrop" is the delivery of a
cryptocurrency, token, non-fungible token ("NFT"), or
other type of digital asset to customers at no cost, generally as
part of a promotion.

5. "Staking" is pledging digital assets to a
platform for use in the proof-of-stake process for validating
blockchain transactions in a proof-of-stake ecosystem, e.g.,
Ethereum.

6. A "haircut" refers to valuing a collateral
asset as less than its fair market value, while
"overcollateralization" refers to pledging a collateral
asset worth more than the loan amount.

7. "Mark to market" is a method of measuring,
based on current market conditions, the fair value of an account
that can fluctuate over time.

8. "Concentration risk" is the risk of loss
that may occur from a customer "concentrating" its
investments in the digital asset, compared to the customer's
overall portfolio.

9. A "lender of last resort" provides liquidity
to a lender that urgently needs funding and has exhausted all its
other options

The content of this article is intended to provide a general
guide to the subject matter. Specialist advice should be sought
about your specific circumstances.

Comments are closed.