CFTC action against Opyn: a new approach to geo-blocking?

2023 has continued to be a banner year for crypto legal news, with recent events including significant charges announced against Titan Global Capital, sanctions and charges against the founders of Tornado Cash, as well as an SEC administrative order against Impact Theory. Even more recently, the CFTC issued orders against operators of three DeFi protocols for offering illegal digital asset derivatives trading, including Opyn, ZeroEx, and Deridex.

While not as high-profile as some of the other recent crypto-related cases, we think the approach taken by the CFTC in the Opyn case has implications that may be more relevant to crypto startups than is immediately apparent.

Briefly, Opyn had developed a digital asset trading platform – the “Opyn Protocol” – that offered trading of digital asset derivatives based in part on the price of ETH to traders in the United States and abroad. To avoid compliance issues with US regulations, Opyn “geo-blocked” its service from being accessed by IP addresses in the US. This is a common step taken by crypto companies who want to avoid being subject to US securities or commodities regulations. 

But despite the geo-blocking, the CFTC charged Opyn with a number of US commodities laws violations, including failing to register as a swap execution facility (SEF) or designated contract market (DCM), failing to register as a futures commission merchant (FCM), and failing to adopt a customer identification program as part of a Bank Secrecy Act compliance program, as required of FCMs, as well as illegally offering leveraged and margined retail commodity transactions in digital assets. All of this led to a monetary penalty of $250,000. On initial glance, that could be considered pocket change to a well-funded crypto startup. But it’s worth noting that Opyn’s “substantial cooperation and remedial efforts” are specifically cited as factors leading to a “reduced civil monetary penalty.”

Taking a step back, there are a couple of points we want to draw your attention to. First, while it’s common for crypto startups to focus heavily on securities compliance issues, crypto commodities derivatives and any platform dealing in them are also subject to regulation. Depending on the nature of a crypto project, maintaining an awareness of relevant commodities regulations may be just as important as keeping abreast of securities regulations.

Second, simple geo-blocking is likely no longer sufficient to ensure that US regulations won’t apply to your project. As the CFTC notes, although Opyn “took certain steps to exclude U.S. persons from accessing the Opyn Protocol, such as blocking users with U.S. internet protocol addresses, those steps were not sufficient to actually block U.S. users from accessing the Opyn Protocol.” It’s hardly a secret these days that VPNs, “onion routing,” and proxies can be used to get around IP-based blocks, and the regulators know this just as well as anyone. Additionally, the CFTC specifically noted that Opyn did not maintain a customer identification program (CIP), and did not require that any user of the Opyn Protocol provide any identifying information, as relevant to this point.

Putting all of this together, it’s likely that crypto startups relying on geo-blocking to avoid US regulations will need to step up their efforts to keep US residents from using their platforms. Taking steps to geo-block not only US-based IP addresses, but also known VPN IP addresses and known TOR exit nodes would likely be a good start. It may also be worthwhile to follow the example of Opyn’s recently-improved access restrictions: Opyn now provides additional warnings, and blacklists crypto wallets that repeatedly attempt to connect from blocked IP addresses.

A screen shot of a warning, reading: You are accessing from a restricted territory. If your wallet attempts to connect 3 times from a restricted territory, your wallet address will be blocked. Please read the Terms of Service.

Source: Opyn.co

Opyn’s added warnings could be read as the natural next step, following the CFTC’s case against Intrade, back in 2012. In that case, the CFTC alleged that Intrade’s “website contained no ‘pop-up’ blocks or other mechanism to prevent U.S. customers from trading on the website. Nor did the website consistently contain warnings alerting U.S. customers that they were not legally permitted to trade certain of the contracts listed on the website.” In line with this, consistent warnings about US-based platform usage should likely be included in the compliance toolbox.

But even beyond such blocks and warnings, it could be necessary to accept that collecting identifying information from users, establishing a CIP, and running KYC and AML checks are simply the next necessary step to avoiding regulatory enforcement. And while the CFTC isn’t yet citing customer background checks as absolutely necessary to establish the non-US bona fides of users, it may worthwhile to consider what’s likely to come next and plan accordingly.

Some may grumble at the idea of implementing such a compliance regime as counter to the anonymous nature of crypto. But it could also be said that the widespread implementation of such measures is a mark of crypto’s mainstream legitimacy and recognition. As crypto takes its place in the wider business community, staying up-to-date on the latest regulatory requirements and taking measures to stay compliant will likely remain essential pieces of the puzzle for crypto startups.

(Cover image: dcoetzee, CC0, via Wikimedia Commons)

Share this post on social media