October 5, 2022

CFTC Attempts to Extend Liability to DAO Participants

In a first of its kind enforcement action, the Commodity Futures Trading Commission (“CFTC”) is attempting to hold participating members of a decentralized autonomous organization (“DAO”) liable for alleged violations of the Commodity Exchange Act (“CEA”) and CFTC regulations. The CFTC argued (1) that the DAO is an unincorporated association; (2) that on the basis of state law principles, individual members of an unincorporated association can be found liable for the debts of the association; (3) that participating members of the DAO (i.e., token holders that actually voted their tokens) have directed the operations of the DAO; and (4) that therefore those members can be held liable for the DAO’s alleged violations of the CEA and CFTC regulations. The CFTC’s attempt to extend liability to DAO participants should cause concern to the DeFi and greater Web3 communities.

On September 29, 2022, the CFTC filed and settled charges against bZeroX, LLC (“bZeroX”) and the two individuals that created and launched the bZeroX protocol (the “Respondents”) for illegally offering leveraged and margined trading in digital assets to retail investors; failing to register as futures commission merchant (“FCM”); and failing to adopt an anti-money laundering (“AML”) compliance program, as required of FCMs. Simultaneously, the CFTC filed a federal civil enforcement action in the U.S. District Court for the Northern District of California charging the Ooki DAO — the successor to bZeroX DAO that assumed control of and operated the same DeFi protocol as bZeroX — for violating the same laws as bZeroX and the Respondents. It is not new or unusual that the CFTC charged a company and its founders for violations of the CEA involving digital asset trading. However, until now, no regulator has brought an enforcement action purportedly against the individual participating members of a DAO.

The alleged violations are consistent with the types of enforcement claims typically brought by the CFTC. The CEA and CFTC regulations make clear that (1) any leveraged or margined transaction on a commodity (which includes digital assets) by retail investors where actual delivery does not occur within 28 days must be executed on a regulated exchange or such transaction must be conducted solely between eligible contract participants; (2) only registered FCMs can accept money to margin trades on commodities; and (3) FCMs (or those required to register as FCMs) must implement know your customer (“KYC”) and AML procedures. BZeroX and the Respondents permitted U.S. persons to contribute margin (e.g., collateral) to open leveraged positions whose ultimate value was determined by the price difference between two digital assets from the time the position was established to the time it was closed. These transactions were required to take place on a designated contract market or swap execution facility, through a registered FCM that accepts the collateral for the trades and performs KYC and AML checks on the clients. Without admitting or denying any of the CFTC’s charges, BzeroX and the Respondents consented to pay a $250,000 fine for the alleged violations.

However, the CFTC’s extension of liability to the DAO participants is new and troubling. The CFTC did not rely on the CEA, any CFTC regulations, any federal statutes or any relevant case law involving the CFTC or commodities. Rather, the CFTC cites state-law doctrine (cases from Maine and New Hampshire) for the proposition that members of a for-profit unincorporated association are jointly and severally liable for the debts of that association. It is surprising that the CFTC would attempt to impose governmental sanctions for violations of federal commodities law based on state law developed for contract and tort disputes between private parties.

The policy implications are also problematic. The CFTC’s charges against the DAO participants are an example of “regulation by enforcement” by effectively making new rules applicable to DAOs and token holders based on legal theories never before publicized by the CFTC or put out for public comment. As a result, members of the DAO did not have adequate notice that the CFTC would seek to impose liability in this manner.

Further, the complaint appears to name as defendants only those token holders “who vote those tokens to govern (e.g., to modify, operate, market, and take other actions with respect to) [the Ooki Protocol],” rather than token holders generally. The complaint states that the Ooki DAO exists for the same purposes as bZeroX and the Respondents: “to run a business, and specifically, to operate and monetize the Ooki Protocol… through the votes of Ooki Token holders…who, through their votes, chose to participate in running that business.” It appears that those token holders that did not vote, for whatever reason, would not be actively involved in the management of the alleged illegal business being conducted by the Ooki Protocol. By way of example, the CFTC’s complaint (in paragraph 46) describes a vote held to change the name of the protocol, i.e., a “rebranding”, noting that this vote “did not result in legal changes to the DAO’s business or material changes to its operations.” This seems to differentiate between the types of votes and the nature of token holders’ participation that could give rise to liability, despite the fact that a “rebrand” could be a material marketing decision and that marketing was expressly identified by the CFTC as inherent to the active role of other token holders. Regardless, even those that are active in voting for protocol upgrades and changes may not be identifiable, or tokens may have changed hands many times over since the operative vote.

There are significant questions about how the “named” defendants (i.e., the participating DAO members) will be identified if this case proceeds. The CFTC alleges without providing evidence that “multiple Ooki DAO members have resided in the United States and have conducted Ooki DAO business…from within the United States.” And while at least some token holders’ wallets are likely to be identifiable or traceable to individuals, it appears that the CFTC has not yet done that work, giving rise to the question of whether this is an enforceable complaint that can overcome myriad procedural questions, including, among other things, whether the CFTC can establish jurisdiction over each individual DAO member in the United States, or in California in particular. The CFTC has conceded the challenges it faces in seeking to serve the DAO members, including the “significant obstacles to traditional service of process.” To overcome these hurdles, the CFTC proposed — and the Court has now approved — alternative service of the summons and complaint through the Ooki DAO’s Help Chat Box, with contemporaneous notice by posting in the Ooki DAO’s online forum. Allowing this form of alternative service has serious implications for the due process rights of the individual participants in the DAO, who may not have actual notice of the claims within the time frame required to respond. It also remains unclear how the CFTC would enforce a judgment against individual DAO members in the event of a default, since their identities will likely remain largely unknown. Given these procedural obstacles, it remains to be seen whether the CFTC intends to pursue its claims against individuals in earnest, or whether the complaint instead serves as a warning shot to signal the CFTC’s intention to take a more active role in the industry overall, in line with legislative proposals that would make the CFTC the primary regulator of digital assets.

The dissenting statement by CFTC Commissioner Summer Mersinger highlights the risks to DAO participants and the broader DeFi community. Commission Mersinger argues that by “[d]efining the Ooki DAO unincorporated association as those who have voted their tokens inherently creates inequitable distinctions between token holders. For example, suppose that during the period in which token holders A and B hold voteable DAO tokens: (i) there is a single vote on a governance proposal, which has nothing to do with compliance with the CEA or CFTC rules; and (ii) token holder A votes on it, but token holder B does not. Under the CFTC’s definition, token holder A has now become a member of the unincorporated association and (possibly unknowingly) assumed personal liability and is subject to CFTC sanctions for any violations of the CEA by the Ooki DAO — whereas token holder B, by the happenstance of not voting on this random governance proposal, has not.” Until the CFTC provides further guidance on the rights and obligations of DAOs and token holders, or the Ooki DAO matter is fully resolved in court, the Web3 community should be aware of the potential personal regulatory liability (which limited liability entity structures may not be able to limit, for example) when voting or participating in DeFi protocol or DAO governance. This potential liability risk could also have unintended consequences for many projects whereby decentralized and distributed governance is an important feature.