Federal and state regulators have made it clear that a new wave of enforcement is coming to the crypto industry. The night gathers, and now our watch begins.
The Securities and Exchange Commission (“SEC”) recently added 20 more positions to its Crypto Assets and Cyber Unit, nearly doubling the size of the unit, and recent actions, including a first-of-its-kind insider trading case against a former employee at a crypto exchange , foreshadowing more aggressive enforcement to follow. The Commodity Futures Trading Commission (“CFTC”) is also focusing on increased enforcement.
Crypto companies and their founders are right to be concerned about an SEC or other regulatory investigation. Investigations are stressful, time-consuming and expensive to defend in the best of circumstances, and carry the risk of severe penalties or even referral to criminal prosecution in the worst of circumstances.
While there is no magic bullet to prevent a regulatory inquiry in the crypto space, there are several steps projects can take proactively to limit the risk and cost of a possible future regulatory investigation.
Three steps to prepare a regulatory request
1. Anticipate potential review of public statements. Regulators will often identify public statements and request the factual basis for each statement. If you anticipate a regulatory inquiry, identify prior statements that the regulator may question and simultaneously gather factual support for the statement when it was made. When you make future public statements—whether on a blog, in a press release, on Twitter, or in another public forum—make sure that all factual information in those statements is thoroughly reviewed. Each piece of information should be linked to a specific source; if a source cannot be located for a statement, it may be better to revise the statement. Keep a file of backup evidence for public statements so that if an investigation becomes necessary, you can be confident that your public statements are fully supported – and you can easily provide the documentation to prove it. Not only is this good business practice, but it will dramatically reduce the cost of having outside attorneys try to identify support for what was said retroactively.
Equally important, any entity should make clear who does and does not have the authority to speak on its behalf, and which statements are made on behalf of the entity, as opposed to individual contributors or community members. Appropriate company policy and training in appropriate engagement with the media, and especially with social media, can reduce the risk of unauthorized statements creating difficulties for the business.
2. Implement a document retention policy. Storage of important documents is essential for any business to function. But that doesn’t mean it’s necessary, or advisable, to always save everything. Especially in businesses that are rapidly expanding and experiencing high turnover, a lack of guidelines that address both document storage and destruction will quickly lead to terabytes of data, without anyone in the company knowing what is in it. By the time you receive an investigative request, you will likely have a duty of care for information – which, without proper policies in place, can leave you with a huge amount of data and no sense of its relevance to the area of investigation. The cost of getting outside counsel through it all can be staggering.
While it may not make sense to save everything, it is certainly worse to selectively delete and be suspected of trying to destroy evidence of wrongdoing. Clear guidelines help reduce these risks. A proper document retention policy can specify what is and is not kept and for how long. The guidelines should be drawn up with the guidance of advisers to ensure that all requirements are met in accordance with the current regulations. Significant parts of the retention and deletion policies can often be automated.
When document retention and destruction is thoughtfully handled in advance, it can improve data processing and reduce the cost of any future investigation, while protecting you from allegations of improper destruction of evidence.
3. Create a survey response game plan. Companies often become aware of an investigation when they receive a subpoena from the authorities requesting a response in a very short period of time. For the unprepared, this can lead to panic and crisis response. It is far better to think through the possibilities and have a plan in advance, which you can easily implement on the day a summons or other inquiry arrives.
Developing a game plan for responding to a regulatory request does more than just reduce costs and streamline the early days of an investigation. Being in a position to respond quickly to regulators can go a long way towards increasing credibility and establishing good faith cooperation, which can have a meaningful impact on the regulator’s view of the company and thus the substantive outcome of the regulatory investigation.
Here are some key components:
- Designate internal team members and process owners. Decide in advance who will be responsible for managing the company’s response to a regulatory request. For a small company, this may be just one person. Larger organizations may need one point person and one contact in each relevant department or function (human resources, IT, etc.) to assist them. Determine which of these internal team members own which process and ensure that each is aware and prepared to carry out their responsibilities. Who wants to have contact with external advisers? Who will communicate with employees? Who will collect documents? Who is responsible for public statements? Who will keep the stakeholders informed? Mapping out each required step in the investigation process and assigning a process owner saves time and confusion and will result in a much more streamlined and efficient process.
- Plan for document collection procedures. You will almost certainly need to collect and produce a number of documents. This will include email and other messaging services and internal company documents. Decide who will be responsible for this work and ensure that they are familiar with which systems are used, which documents are kept and how they are to be collected. If you receive a subpoena, you may also have a duty to keep documents. You can prepare a template document retention notice in advance, prepared with the assistance of external advisers, who are ready to update and distribute to the relevant employees to ensure proper retention of documents. Document collection is a significant burden, but taking these steps will reduce this burden and increase responsiveness.
- Identify external advisors. Before receiving any contact from regulators, consider who will act as external counsel assisting in the response to regulators. Not only will this reduce the time needed to retain outside counsel in the initial stages of the investigation, but it can also serve as an opportunity to ensure that someone familiar with your business is retained, reducing the time spent on the investigation itself. Outside attorneys can also help develop your investigative response game plan.
Final thoughts
Fortune favors the prepared. Plan now to significantly reduce the risk and future expenses of responding to a regulatory inquiry. The steps above are just a few examples. Experienced advisors can help you implement these steps and identify others that are properly tailored to protect your business, for this night and all the nights that follow.
The content of this article is intended to provide a general guide to the subject. You should seek specialist advice about your specific circumstances.
