Troutman Pepper Partner Ethan Ostroff welcomes his colleagues Kim Phan and Addison Morgan to discuss the recent enforcement actions brought by the Federal Trade Commission (FTC) against Celsius Network and its co-founders.
In this episode of The Crypto Exchange, Troutman Pepper Partner Ethan Ostroff welcomes his colleagues Kim Phan and Addison Morgan to discuss the recent enforcement actions brought by the Federal Trade Commission (FTC) against Celsius Network and its co-founders. In addition to permanently banning Celsius Network from consumers' assets, the FTC also fined the company a near record-breaking $4.7 billion.
This is a groundbreaking move by the FTC for two reasons. First, it marks the first time that the agency has filed suit against a digital asset-based company. Second, the FTC's request for civil money penalties is predicated on a novel theory under the Gramm-Leach-Bliley Act (GLBA). Alongside the FTC, the Department of Justice has also filed criminal charges against ex-CEO Alexander Mashinsky. Additionally, the Securities and Exchange Commission and the Commodity Futures Training Commission have filed separate civil enforcement actions against Celsius.
Ethan, Kim, and Addison discuss the intricacies of the FTC's enforcement actions against Celsius Network, including their creative use of the GLBA, and the impact this will have on future enforcement actions against companies in the digital asset ecosystem.
The Crypto Exchange: Turning up the Heat – A Look at the FTC's Groundbreaking Fine Against Bankrupt Digital Asset Services Provider Celsius Network LLC
Host: Ethan Ostroff
Guests: Kim Phan and Addison Morgan
Recorded: 8/2/23
Ethan Ostroff:
Welcome to another episode of The Crypto Exchange, a Troutman Pepper podcast focusing on the world of digital assets. As longtime leaders in the intersecting worlds of law, business, and government regulations, our lawyers go beyond the buzzwords and headlines to make sense of the emerging legal and regulatory frameworks for operating in the digital asset industry.
I'm Ethan Ostroff, one of the hosts of the podcast and a partner at Troutman Pepper. Before we jump into today's episode, let me remind you to visit and subscribe to our blogs, consumerfinancialserviceslawmonitor.com and troutmanpepperfinancialservices.com. And don't forget to check out our other podcasts on troutman.com/podcast. We have episodes that focus on trends that drive the payments industry, consumer financial services writ large, the Fair Credit Reporting Act, and more. Make sure to subscribe to hear the latest episodes.
Today I'm excited to be joined by my colleagues Kim Phan and Addison Morgan to discuss a very interesting recent FTC enforcement action against Celsius Network and its co-founders. This involves a fine of $4.7 billion. That's right, audience, $4.7 billion. This is a groundbreaking move in our opinion by the FTC for two reasons. First, it's the first time that the FTC has filed suit against a digital asset-based company. And second, and I'm particularly excited to talk about this part with Kim, is the FTC's request for civil monetary penalties being predicated on a novel theory under the Gramm-Leach-Bliley Act, as most of us refer to it, the GLBA. Alongside the FTC, the Department of Justice has also filed criminal charges against ex-CEO Alexander Mashinsky. And the Securities and Exchange Commission and the Commodity Futures Training Commission have also filed separate civil enforcement actions against Celsius. So Celsius has certainly been in the news.
Before we get into this case and the nitty-gritty details, particularly about the GLBA, I thought, Kim, it might be helpful if you could just give our audience a little bit of background about the Federal Trade Commission Act or the FTC Act and the GLBA and the types of activities each of those statutes regulate.
Kim Phan:
It's my pleasure to be your guest today and thank you for having me. I'm excited to talk about this case and the recent developments at the FTC, but as you rightly note, a little bit of background would probably help the audience.
For those of you who don't know, the Federal Trade Commission was created way back in 1914 by President Woodrow Wilson. And it was created by the Federal Trade Commission Act, which we'll refer to during the podcast as the FTC Act. And the FTC was created with a mission to protect consumers as well as promote competition that will be focusing on the consumer protection aspect for purposes of this particular case. And under the FTC Act, specifically Section 5, the FTC has broad authority to enforce a prohibition against unfair or deceptive acts or practices. Now, this authority reaches any company engaged in interstate commerce, so very broad jurisdiction. The only exceptions really are banks, who of course have their own prudential regulators, and nonprofits.
Now, the FTC has brought legal actions under Section 5 for years, specifically with regard to actions like violating consumer privacy rights, which they consider to be unfair under their unfair deceptive acts or practices authority, as well as making deceptive statements, misleading consumers about failures to maintain security or causing other consumer injuries based on representations they may have made about their security posture. And that's the deceptive arm of unfair deceptive acts or practices.
Now, over the years, the FTC's authority has been extended to reach other consumer protection statutes for which the FTC has given enforcement authority. For example, the Gramm-Leach-Bliley Act. This is a law that was enacted back in 1999. It was intended to protect consumer's financial information. The GLBA was divided into two areas with regard to data protection, privacy, and security. Now, the GLBA privacy rule was enforced by the FTC for many years, but that was very recently transferred to the Consumer Financial Protection Bureau when that new agency was created about 10 years ago or more. But the FTC did retain enforcement authority under the GLBA security rule, and that brings us up to today.
Ethan Ostroff:
Outstanding. Thank you, Kim. I think that's certainly helpful background. I thought maybe before we get into the intersection of this enforcement action in the GLBA, we might take a little bit of time to dive into Celsius' business model. And Addison, I thought you might be able to give us some background about that.
Addison Morgan:
Sure. Celsius was a crypto retail bank that offered interest yield to its users of its platform in exchange for cryptocurrency deposit. So very similar to the traditional bank business model. For example, in exchange for depositing Ethereum, a widely known cryptocurrency, to a wallet address on Celsius' platform, Celsius may pay that depositor a weekly yield of maybe 6% APY for the full amount of the depositors Ethereum deposit. Celsius claims that it was able to pay out these exceptionally high yields. When we're comparing these yields to the yields that traditional banks offer, they were able to offer these high yields by using cryptocurrency deposits to originate secured and over collateralized loans to reputable institutional firms in a very low risk fashion. But, as we'll get into, the FTC contends that was not the case.
Ethan Ostroff:
Yeah, so a lot going on this year and last year in the space regarding trying to get yield on cryptocurrency deposits as well as bank deposits. A lot going on with various types of different accounts that people are running to in order to get yield in what was a very low interest rate environment. So, in the crypto context, what do we mean, Addison, when we talk about an over collateralized loan?
Addison Morgan:
An over collateralized loan is basically where the lender requires that the value of the collateral or the value of the asset necessary to guarantee that loan is higher than the value of the loan requested. And so for example, if I wanted a loan for let's say, $8,000 USDC, and so USDC is a stable coin offered in the crypto markets right now, in exchange for that 8,000 loan, the lender might request that I put up as collateral $10,000 worth of BTC or Bitcoin. And so that $2,000 cushion just allows the lender to protect itself from the risk of default, market volatility, et cetera. And it also serves as a risk hedge against the absence of credit scores, which right now at least don't exist in the crypto market space.
Ethan Ostroff:
That makes sense. So, turning specifically to the allegations by the FTC against Celsius, could you give us a brief overview of what the FTC is asserting in this case?
Addison Morgan:
Sure. The FTC has alleged that Celsius made a number of misrepresentations concerning various aspects of its business model. These misrepresentations range from issues concerning Celsius' unsecured lending practices and liquidity management, to allegedly inaccurate claims about a user's ability to withdraw cryptocurrency deposits from its platform. Also deposit insurance, to allegedly false advertisements about interest yields, which we just discussed, for cryptocurrency deposits. The FTC frequently quoted statements that ex-CEO Alexander Mashinsky publicly made during Ask Me Anything Sessions, which is a popular engagement platform that tech companies nowadays leverage to interact intimately with their users.
Ethan Ostroff:
One of the things we're seeing in this enforcement action is Celsius advertising that it relied on low-risk institutional lending to pay yield to crypto depositors. But the FTC alleges Celsius actually frequently offered unsecured loans to institutional investors totaling somewhere around 1.2 billion as of April 2022. And there's a disparity between the public statements by Celsius and its internal practices. And that appears to be a key point of contention. What, Addison, did the FTC allege about Celsius' lack of liquidity?
Addison Morgan:
So here, the FTC alleged that Celsius did not have sufficient liquidity to meet the withdrawal demands of its users. And this is despite Mashinsky's various reassurances that there was no "risk" in depositing crypto on Celsius whatsoever. The FTC even accused Celsius and its executives of concealing their dwindling fiscal health, reassuring customers that deposit were safe even as Celsius' financial situation worsened.
Ethan Ostroff:
The FTC also alleged Celsius misled customers about their ability to withdraw deposits at any time and provided false information about deposit insurance. It appears that at least according to the FTC, Celsius advertised that a $750 million insurance policy covered deposits. There are also these false advertisement claims. What's going on in that, Addison?
Addison Morgan:
This is primarily related to the interest yield issue we discussed earlier, but here the FTC was concerned with Celsius' advertisement that users could earn up to 18.63% APY on deposits, which is just extraordinary. According to the FTC, over 99% of Celsius customers never earned APY of 17%, let alone 18.63%, and the average APY was only about 5.6%.
Ethan Ostroff:
So, at the end of the day, what we have now is a consent order with Celsius that the FTC entered into that involves the FTC permanently banning Celsius from dealing with any asset service, held Celsius liable for a $4.7 billion judgment, which apparently reflects the total loss incurred by Celsius' customers after it ceased withdrawals. My understanding is that the judgment is suspended to permit Celsius to return its remaining assets to consumers in its ongoing bankruptcy proceedings. So that leads us all up to what I think is perhaps the most interesting aspect of this enforcement action, and something I think we're really excited to talk about today, which is the FTC's creative use of the GLBA. Kim, looping back, can you explain to our listeners the differences between Section 13(b) and Section 19 of the FTC ACT and why the FTC chose to leverage Section 19 in this enforcement action against Celsius?
Kim Phan:
Sure, but just as background, I know you say that it is a creative use, but I think for context we should let our listeners know, I mean, the FTCs mindset in recent years has shifted. FTC views the ability to issue monetary civil penalties as their mechanism for deterring contact that they believe businesses are engaged in that harms consumers. And because they can exceed what a wrongdoer actually earned through their misconduct, through these types of penalties, it sends a message that you can't profit on harming consumers because the FTC will pursue not just disgorgement, redress, but also penalties on top of that.
And so, the FTC under Section 13(b) of the FTC Act, this is a provision that authorized the FTC to seek injunctions, whether preliminary or permanent, and other equitable relief. It's the other equitable relief that the FTC has increasingly relied on to impose monetary penalties in the past. But this all shifted a couple of years ago when there was a case, AMG, that took a challenge to the FTC's extension of the 13(b) authority to impose these civil monetary penalties. And the Supreme Court ruled against the FTC. E.
Essentially, the Supreme Court said, and this is again a 2021 case, that Section 13(b) is really only limited to injunctions. So the FTC cannot use that particular authority to seek other types of penalties like restitution, disgorgement, which is a shock to the FTC. They had increasingly over the years, and 13(b) was put in place in 1973. At the time the FTC said that they were going to reserve what they considered other equitable relief for only exceptional cases. But again, they quickly expanded the use of that and it became a part of most cases until the Supreme Court made their ruling.
So, the FTC has been forced to look elsewhere when trying to pursue monetary penalties. Now, Section 19 is one option for them. Under the Section 19 authority as long as the FTC can establish that a defendant had a reasonable understanding that what they were doing was dishonest or fraudulent, the FTC could pursue redress. This is a way for them to impose some sort of fine, penalty. It has to be directly tied to consumer injury in the form of redress, but it is a way for them to impose some sort of monetary fine.
Now, this is a cumbersome tool. It's more administrative challenging than 13(b), which is why the FTC hasn't previously used it. It requires the FTC to establish consumer redress as needed. They have to establish this case before an administrative hearing. Get a cease-and-desist order in place, which can be challenged in court, and there's a lengthy appeals process the defendant can pursue. But once the FTC has a final cease and desist order in place, they can then impose some of that redress or they can pursue, as in this case, the consent order and settlement with the company. Though they haven't been able to, again, with the individual defendants reach a settlement.
Now, we had talked about Section 5 earlier, and I know we talked about that at length with regard to the unfairness and deceptive authority of the FTC. I just want to note that they have not been trying to use that to bring civil penalties because Section 5 is actually limited. They can't bring civil penalties in the first instance. They have to get some sort of consent order and settlement in place, and then they can bring fines for any subsequent violation of the terms of that consent order. So, again, we're not seeing them use Section 5 as much, and Section 19 is what they've tried to impose in this case.
Ethan Ostroff:
So, in this enforcement action, my understanding is the FTC's alleging Celsius violated the GLBA by making false representations to customers of financial institutions to obtain, among other things, cryptocurrency wallet addresses of its customers. And the FTC cited a provision of the GLBA that prohibits any person from obtaining or attempting to obtain customer information of a financial institution relating to another person by making a false, fictitious, or fraudulent statement or representation to a customer of a financial institution. Is that a provision that is utilized often by the FTC in enforcement actions?
Kim Phan:
Well, it hasn't been up until now, but that doesn't mean that they didn't have enforcement authority in this area. Keep in mind, the FTC's general UDAP authority, unfair and deceptive acts and practices, has always been available to them, and that's very generalized, to any type of company engaged in interstate commerce. Now, again, as I noted earlier, GLBA is specific to financial institutions, but this particular provision of the GLBA actually dovetails very closely to the FTC's UDAP authority. And so, they're alleging both. They're basically double dipping for the same activity as violations of two different statutes.
And they're basing this on the fact that what they allege the company have done was marketing the platform as a safe place for consumers to deposit their cryptocurrency by claiming in online videos, other forums, the platform was actually safer than banks. They told consumers that if they deposited their money with them, it was safe. They solicited new customers with representations about the safety of their platform, just days before they actually end up freezing their customer accounts, essentially blocking consumers from their funds, and then filing for bankruptcy.
So, I think you can imagine the FTC seeing that timeline, "Hey, one day all of your information and all of your data is going to be safe and all of your funds, and then the next day they file for bankruptcy." You can see how there might be some disconnect there. So, the FTC alleged that this was deceptive to consumers and that consumers were being incentivized to provide their sensitive banking information and other financial information to Celsius, when really Celsius had no attention of living up to its promises with regard to how they were going to safeguard that information. And I wanted to point out, the FTC in a blog post that accompanied the announcement of the order, very directly sets to cryptocurrencies and other companies that they need to disabuse themselves of any idea that the crypto and emerging marketplaces have a Wild West type of attitude. They need to be mindful of their legal obligations, specifically with regard to their claims about things like data security, safety of funds, other representations about their platform before they can use those to try to incite consumer behavior.
Ethan Ostroff:
Super helpful and insightful there. Let me ask you this, why do you think the FTC went through this explanation in the consent order about the relationship between the GLBA, the Fair Debt Collection Practices Act, and Dodd-Frank? What's going on there and why do they need to give that sort of explanation in order to get civil penalties for violations of the GLBA?
Kim Phan:
Keep in mind that when the CFPB was created under the Dodd-Frank Act, a lot of the FTC's consumer protection authorities were shifted to the CFPB, including many of the FTC staff who left the FTC to go work at the CFPB. So, the FTC's been trying to find its identity in this consumer protection space for a while. It has encountered, as I noted in the AMG decision, a number of legal setbacks with regard to where its authority lies and how they can pursue different courses with regard to their enforcement actions.
I think the FTC is, again, laying the groundwork for why and how it can do the things it's doing against this particular crypto company. And as you noted, this is the first action the FTC has taken in a crypto space. So, I think that, again, they're trying to establish why they can do this, how they can do this, and justify their actions, especially with regard to an incredible penalty, 4.7 billion. The only larger one was the one they brought against Facebook for its privacy violations, and so it's almost unmatched with regard to other cases.
Ethan Ostroff:
So, Addison, in this GLBA context, there's this allegation that cryptocurrency wallet addresses constitute customer information subject to the GLBA. What are your thoughts on that?
Addison Morgan:
This was actually the highlight of the case for me. I think that we have continuously seen a shift in sentiment with respect to digital assets markets from a legal standpoint and acceptance standpoint. So, I think this coincides with that continued shift. But what I thought was interesting was that the FTC used the term "customer information" to describe financial information under the GLBA, but when I read the GLBA, the GLBA doesn't actually use the term, "customer information." It actually used the term, "non-public personal information," and that term is defined as, "information that a consumer provides to a financial institution to obtain a financial product or service." And so not only through its allegations has the FTC signaled that digital asset-based service companies are financial institutions in the eyes of the law, but I also think that they have stated that cryptocurrency wallet addresses may constitute financial information subject to the GLBA.
Interestingly enough, as you know, cryptocurrency wallet addresses are public information. This is where that concept of pseudonymity comes in, where you may have multiple cryptocurrency wallet addresses that cannot be linked back to your physical person. However, if you use that cryptocurrency wallet with a platform like Celsius, you now have KYC where you can identify that this cryptocurrency wallet address belongs to X person or Y person. I assume that we'll see many industry stakeholders fight the FTC's characterization of cryptocurrency wallet addresses as non-public personal information because of that reason. If you can't uncover the identity of the owner without there being some KYC process in place, then it can't be non-public personal information because the wallet addresses itself is public information, and that can be easily ascertained on a blockchain explorer or some other public access device.
Ethan Ostroff:
It's going to be fascinating to see how this continues to involve. I think there's a number of important takeaways from this enforcement action. Strong precedent for the FTC to bring future enforcement actions against companies in the digital asset ecosystem. I think it was Samuel Levine, who's the Director of the FTC's Bureau of Consumer Protection recently said, "emerging technologies are not above the law."
And like you were just mentioning, Addison, this may affect how non-public personal information is defined by CFTC's interpretation of that term under the GLBA to include cryptocurrency wallet addresses is pretty significant. I mean, all in all, it seems like the FTC, amongst other federal regulators, is trying to tighten its grip on digital asset companies in an effort to protect consumers, something we're certainly going to be monitoring as we expect to see other federal regulators, including the CFPB, undertake more activity in this space as well.
Kim and Addison, thank you so much for joining me today. Providing this, I think very insightful and helpful analysis to our audience. I want to thank our audience for listening to today's episode. Don't forget to visit our blog, consumerfinancialserviceslawmonitor.com, and subscribe so you can get the latest updates. And please also make sure to subscribe to this podcast via Apple Podcast, Google Play, Stitcher, or whatever platform you use. We look forward to next time.
Copyright, Troutman Pepper Hamilton Sanders LLP. These recorded materials are designed for educational purposes only. This podcast is not legal advice and does not create an attorney-client relationship. The views and opinions expressed in this podcast are solely those of the individual participants. Troutman Pepper does not make any representations or warranties, express or implied, regarding the contents of this podcast. Information on previous case results does not guarantee a similar future result. Users of this podcast may save and use the podcast only for personal or other non-commercial, educational purposes. No other use, including, without limitation, reproduction, retransmission or editing of this podcast may be made without the prior written permission of Troutman Pepper. If you have any questions, please contact us at troutman.com.