Lawyer: Don’t Punish the Programmers

Regulators should not hold programmers responsible for unlawful uses of emerging technology, a financial services lawyer has said.

“If I have to give any advice to this agency, it’s don’t create the rules through enforcement activity; don’t create the rules through rules that scare people,” Katten special counsel Gary DeWaal said, referring to the Commodities Futures Trading Commission (CFTC).

DeWaal, who was speaking at the CFTC’s Fintech Forward conference in Washington, DC, on Thursday, said one example was the provision in the regulatory consultation of Regulation Automated Trading (Reg AT) that regulators would be empowered to look over market participants’ source code without a subpoena.

“This is the secret sauce, you can’t just have access absent subpoena and process,” DeWaal said. “That is just fundamental fairness… When you bring enforcement actions against programmers, there may be a legitimate reason why a regulatory agency is doing that, but it sends a very chilling message to the industry as to what is the liability of a programmer when somebody uses that program for an illicit purpose.”

DeWaal said regulatory agencies should at least give the industry notice in advance through public statements and conferences, and generally make their thinking clear to the industry.

He referred to a speech given a year ago by CFTC Commissioner Brian Quintenz, in which the commissioner said that developers of smart contracts should be liable for violations of CFTC regulation perpetrated with code they wrote.

Markets regulators like the CFTC and the Securities and Exchange Commission (SEC) are grappling with how to apply existing legal paradigms to emerging technologies that were not invented when those statutes were made.

In the case of these agencies, regulation is based on the registration of market intermediaries like exchanges or clearinghouses. With disintermediated technology like blockchain, there is no one to register, and so regulators must find other ways to identify who is responsible for ensuring that activity on the blockchain complies with the law.

In the case of smart contracts, it’s not just users, but coders who should be held liable, Quintenz said in that speech.

It is appropriate to ask, “whether those code developers could reasonably foresee, at the time they created the code, that it would likely be used by US persons in a manner violative of CFTC regulations,” he said.

Just weeks after Quintenz’s speech, DeWaal said, the SEC brought an enforcement action against Zachary Coburn, the founder of EtherDelta, a digital token trading platform. This action was the first ever by the SEC against an entity found to be operating as an unregistered national securities exchange.

“The SEC didn’t bring an action against the application. The application is just an application, it was an ERC-20 protocol smart contract. What they did is, they brought the action against the founder, who ironically wasn’t even associated with the product anymore,” DeWaal said.

Chicago-based Coburn had created EtherDelta in July 2016, but sold it in late 2017. In 2018, when the SEC brought the enforcement action against him, he had nothing to do with the platform: he was not operating it or collecting fees from its users. However, the SEC said, Coburn could have reasonably anticipated that the application when put to use would violate SEC licensing requirements for securities exchanges and should be held liable. Coburn paid $300,000 in disgorgement of earnings, plus other penalties.  

“That was a real wake-up call. It was a real-life example of somebody being picked out and made responsible,” DeWaal said.  

He said the interface of old school regulations with new school technologies is only going to get more complicated.

“Decentralized, open-source technology will make it extremely difficult to point the finger at somebody. In this case, they were able to find out who built round one. But as we move forward … I can imagine a scenario where it’s going to be next to impossible to point the finger at a single person or an organization, where a regulatory body is saying you, guy in Ukraine, are at fault for writing these two lines of code. That is not going to happen, and this long term is where we are trending.”