Jan 25 2019

This article originally was published in The Business Lawyer, Vol. 74, Winter 2018-2019

By Steve Middlebrook, Sarah Jane Hughes & Tom Kierner


This survey reports on developments in the law relating to electronic payments.

Part II addresses legal challenges to federal and state regulation of e-payments products. Part III discusses the amendment (again) of federal rules regulating prepaid accounts and a state court decision regarding New York’s payroll card regulation, which decision has resulted in chaos. Part IV discusses federal and state authorities’ articulation of ethical standards for lawyers working in the cryptocurrency space. Part V addresses regulatory enforcement actions that allege unfair and deceptive practices against financial technology (“FinTech”) companies. Part VI discusses enforcement actions by the Securities and Exchange Commission (“SEC”) concerning two Initial Coin Offerings (“ICOs”). Finally, Part VII addresses litigation against cryptocurrency intermediaries, which demonstrates the need for uniform legislation defining their obligations.





Although the Office of the Comptroller of the Currency (“OCC”) did not issue any non-depository, FinTech bank charters (“FinTech charters”) since our last survey [1] , the prospect of FinTech charters remains alive—with a report on chartering apparently in progress as of May 2018. [2]

Since last year’s survey, two challenges to the OCC’s FinTech-charter plans have been dismissed. The challenge brought by the New York State Department of Financial Services (“DFS”) was dismissed on December 12, 2017, for lack of standing and ripeness. [3] The challenge brought by the Conference of State Bank Supervisors was dismissed on April 30, 2018, also on standing and ripeness grounds. [4] Neither dismissal was with prejudice, so we expect that the plaintiffs will refile when the OCC issues a charter.


The DFS continues to grant BitLicenses to virtual-currency businesses based on its June 2015 regulation. [5] Among the most recent recipients of a BitLicense is Genesis Global Trading, whose application was granted in May 2018. [6] Critics of DFS’s pace of granting BitLicenses continue to charge that the BitLicense regulator favors better-funded applicants over start-ups. [7] As of May 25, 2018, only five businesses have received a BitLicense: Circle, Ripple, Coinbase, BitFlyer, and Genesis Global Trading. [8]

On December 27, 2017, the New York Supreme Court granted a motion to dismiss a lawsuit brought by Theo Chino that had challenged New York’s authority to regulate virtual currencies. [9] No other challenge to the BitLicense or to any other state regulation of virtual-currency businesses was pending during the survey year.


The Consumer Financial Protection Bureau [10] (“CFPB”) issued prepaid accounts regulations in 2016 [11] , amended the regulations in 2017 [12] , and modified them again in 2018. [13] Among the most recent changes, CFPB amended the regulations to provide that the error resolution and limited liability requirements of Regulation E do not apply to prepaid accounts that have not successfully completed the financial institution’s customer identification and verification processes. [14] In addition, for accounts where the consumer’s identity is later verified, the issuer does not have to provide error resolution or limited liability protections for transactions that occurred prior to identity verification. [15] These changes will prevent fraudsters from obtaining cards on which the underlying funds have already been spent and then claiming the spending transactions were unauthorized.

Last year’s survey discussed the invalidation of the New York Department of Labor’s (“DOL”) regulation of payroll cards by the state’s Industrial Board of Appeals (“IBA”). [16] Subsequently, the DOL appealed the ruling, and a state court “annulled” the IBA’s decision. [17] The court noted that the IBA’s decision was based upon a finding that the DOL had exceeded its authority and intruded into the regulation of banking and that the IBA had urged DOL to consult with the DFS. [18] Relying on documents not included in the administrative record before the IBA, the court found that the DOL had consulted with the DFS and that the financial services regulator did not object to the payroll card rules. [19]


In early 2018, the Chairman of the SEC and the Chairman of the Commodity Futures Trading Commission put the world on notice that their agencies were closely monitoring cryptocurrency and, in particular, were concerned by the role some participants, including lawyers, were playing in the developing market. “[W]e are disturbed by many examples of form being elevated over substance, with form-based arguments depriving investors of mandatory protections.” [20]

SEC Chairman Clayton spoke more specifically about the ICOs that some virtual currency companies use to raise capital from investors:

[M]ost disturbing to me, there are ICOs where the lawyers involved appear to be, on the one hand, assisting promoters in structuring offerings of products that have many of the key features of a securities offering, but call it an “ICO,” which sounds pretty close to an “IPO.” On the other hand, those lawyers claim the products are not securities, and the promoters proceed without compliance with the securities laws, which deprives investors of the substantive and procedural investor protection requirements of our securities laws. [21]

Lawyers advising cryptocurrency clients, especially regarding securities and commodities issues, should heed the agencies’ warning and be sure their advice is substantive and appropriate.

Nebraska issued an ethics advisory opinion allowing an attorney to receive digital currencies as payment for legal services if the attorney follows certain guidelines. [22] The opinion requires the attorney to convert the digital currency to U.S. dollars at market rates upon receipt in order to “mitigate the risk of volatility and possible unconscionable overpayment.” [23] An attorney also may hold Bitcoin and other digital currency in escrow or trust for a client, as long as the virtual currency is held separate from the attorney’s property and kept with commercially reasonable safeguards. [24]

The U.S. Office of Government Ethics (“OGE”) issued guidance for executive-branch employees on reporting holdings in virtual currency on their annual financial disclosure forms. [25] The OGE concluded that virtual currencies were property held for income or investment purposes and, consequently, such holdings must be included on a federal employee’s disclosure report if they meet reporting thresholds. [26] OGE also noted that some virtual currencies may be securities, and, given that transactions in securities are reportable, purchases and sales of such virtual currencies also should be reported. [27] The Committee on Ethics of the U.S. House of Representatives issued a memorandum offering similar guidance to House employees, concluding that cryptocurrencies should be treated as “other forms of securities” for purposes of congressional reporting requirements. [28] The guidance noted that the Stop Trading on Congressional Knowledge Act restricts congressional employees’ participation in an initial public offering (“IPO”) of securities. [29] Because it is “unclear” whether an ICO falls within the IPO prohibition, the Committee “strongly encouraged” employees to contact ethics staff before participating in one. [30] The memorandum also concluded that revenue derived from cryptocurrency mining activity would constitute “outside earned income,” which is subject to certain limitations and reporting requirements. [31]



In November 2017, the CFPB entered into a consent order with Conduent Business Services, LLC (“Conduent”) settling charges that software errors caused inaccurate information about more than a million consumers to be reported to credit reporting agencies (“CRAs”). [32] Conduent operates and customizes software that automates many of the processes needed to service auto loans, including the furnishing of consumer information to CRAs. [33] However, loan-servicing software defects caused Conduent’s five auto lender clients to furnish inaccurate information, including the date on which a borrower first became delinquent and whether a consumer’s car was voluntarily surrendered or involuntarily repossessed. [34] The CFPB found that Conduent failed to timely fix defects identified by its clients. [35] Furthermore, when defects were identified and fixed for one client, Conduent did not notify its other clients about known defects, causing erroneous reporting to persist for years longer than it would have otherwise. [36]

Asserting its jurisdiction over “service providers” of “covered persons,” [37] the CFPB assessed a $1.1 million civil money penalty, [38] and imposed conduct provisions to remediate harm and prevent similar issues in the future. [39] This outcome should remind attorneys of the broad jurisdiction of the CFPB and the value of robust change-management policies and procedures.


In May 2018, the Federal Trade Commission (“FTC”) finalized a settlement with PayPal, Inc. regarding its privacy, security, and disclosure practices related to its popular peer-to-peer payment service, Venmo. [40] Capping a multi-year investigation into some of the same practices that resulted in a 2016 settlement with the State of Texas, [41] the FTC complaint alleged that PayPal engaged in deceptive acts or practices in violation of the FTC Act and violated the Gramm-Leach-Bliley Act’s (“GLBA”) Privacy and Safeguards Rules. [42]

The FTC alleged that PayPal violated the FTC Act by engaging in deceptive acts in three ways. First, PayPal allegedly misrepresented a consumer’s ability to transfer money from a Venmo account to an external bank account. [43] When a Venmo user sent money, the recipient would receive a notification of the transfer: “Money credited to your Venmo balance. Transfer to your bank overnight.” [44] However, the speed of transfer was not as advertised. PayPal waited until consumers attempted to transfer funds to a bank account before reviewing the transfer they received for fraud, insufficient funds, or other problems—reviews that resulted in unexpected delays for consumers. [45] In addition, PayPal would sometimes determine there were problems with the underlying transaction and debit the user’s balance—even after PayPal had alerted the user that funds were already credited. [46]

Second, the FTC took issue with the way that PayPal administered and disclosed its privacy settings. By default, the names of the payer and the payee, the transaction date and time, and a message written by the payer were displayed publicly on the Venmo social news feed and each user’s personal page. [47] PayPal allowed users to opt out of these default settings and restrict transaction information to their “Friends” or “Participants [in the transaction] only.” [48] However, to accomplish this, users had to change their privacy settings in two different places: once to restrict their own sharing of transaction data, and once to restrict the sharing of transaction data by the other user. [49] Toggling the former setting, while failing to toggle the latter, would result in one user’s less restrictive privacy settings overriding another user’s more restrictive privacy settings—something that PayPal did not adequately disclose. [50]

Third, the FTC alleged that PayPal misled consumers about security. PayPal represented that Venmo employed “bank-grade security systems” and used “data encryption to protect [consumers] and guard against unauthorized transactions.” [51] However, until approximately March 2015, the Venmo platform failed to provide security notifications regarding changes to account settings, resulting in third-party account takeovers and unauthorized withdrawals without alerting affected users. [52]

The FTC also alleged that PayPal violated the GLBA Privacy Rule and Regulation P by failing to (1) provide customers with a clear and conspicuous initial privacy notice; (2) accurately reflect its privacy policies in such notice; and (3) deliver notice so that each customer could reasonably be expected to receive actual notice. [53]

Finally, the FTC alleged that PayPal violated the GLBA Safeguards Rule by failing to (1) have a comprehensive written information security program; (2) assess reasonably foreseeable risks to consumer information; and (3) implement basic safeguards to protect that information. [54]

The consent order did not assess a civil money penalty for any of PayPal’s alleged violations. Instead, it prohibits PayPal from making similar misrepresentations in the future and requires PayPal to undertake certain security, reporting, and compliance obligations. [55]


In March 2018, the Federal Deposit Insurance Corporation (“FDIC”) settled claims with The Bancorp Bank (“Bancorp”) related to its Excella prepaid card program. [56] The FDIC alleged Bancorp engaged in unfair and deceptive practices by improperly assessing transaction fees for certain point-of-sale, signature-based transactions. [57] The FDIC order provides scant details on what led to cardholders’ being overcharged, but Excella cardholder agreements disclose a $1 fee for signature-based (i.e., authorized without the use of a personal identification number, or PIN) transactions and a $2 fee for PIN-based transactions, [58] suggesting that PIN-less transactions were, in some instances, processed as PIN-based transactions, and cardholders were assessed the higher fee.

The FDIC also stated that it “has reason to believe that the Bank violated” the Electronic Funds Transfer Act, the Truth in Savings Act, and the Electronic Signatures in Global and National Commerce Act. [59] The settlement agreement ordered Bancorp to pay restitution of $1.3 million to affected consumers and assessed a civil money penalty of $2 million. [60]


On April 25, 2018, the FTC filed suit against Lending Club, a peer-to-peer lending company that allows borrowers to create unsecured personal loans, alleging that the company engaged in unfair and deceptive business practices in violation of the FTC Act. [61]

Lending Club advertised that it charged no hidden fees, but the FTC alleged that Lending Club charged borrowers a hidden up-front fee. [62] Lending Club first performs a front-end review of consumers’ applications to determine credit worthiness. [63] Consumers who pass this initial front-end review are presented an offer, [64] with the loan amount, monthly payment, interest rate, and annual percentage rate (“APR”). [65] Only if a consumer clicked on a small green question mark next to the term “APR” did Lending Club disclose—through a pop-up bubble—that the APR is inclusive of an up-front origination fee that is automatically deducted from the loan amount. [66] For example, if a consumer had applied for a $20,000 loan, an up-front origination loan of $1,000 may factor into the APR, and only $19,000 would be disbursed to the borrower.

The FTC alleged FTC Act violations when Lending Club told consumer applicants that the “loan is on the way.” [67] In fact, Lending Club would not disburse proceeds until and unless applications passed a more stringent back-end credit review and received sufficient investor backing. [68] The FTC also alleged that Lending Club’s process and representations resulted in borrower confusion as to the status of their loans. [69]

The FTC finally claimed that Lending Club unfairly debited borrowers’ personal bank accounts by, for example, erroneously processing monthly payments twice, resulting in borrowers’ bank accounts being overdrawn. [70] Lending Club also continued to debit borrowers’ bank accounts after the loan had already been paid off. [71]

In June 2018, Lending Club filed a motion to dismiss, arguing that its origination fee is prominently disclosed in multiple locations and that it utilizes the model Truth in Lending Act disclosure form provided by the CFPB—facts, it asserts, that should defeat the government’s first deception claim. [72] Lending Club disputes the FTC’s unfairness count by arguing that the FTC presented no evidence that unauthorized withdrawals were anything more than a rare occurrence among millions of ACH transactions it processes every year. [73]

FinTech lawyers—and their less tech-y colleagues—would be well-advised to follow this case with interest, as some of the alleged deceptive practices, including the use of pop-up bubbles and “no hidden fees” claims, are not unique to Lending Club.


During 2017 and the first half of 2018, investors have poured over a billion dollars into ICOs despite obvious red flags suggesting some of the projects were fraudulent. [74] In early 2018, the SEC sued AriseBank, Jared Rice Sr., and Stanley Ford, [75] alleging their ICO was an illegal offering of unregistered securities. [76] The complaint also alleged that the offering materials “use many materially false statements and omissions to induce investment in the ICO,” [77] and that Arise-Bank’s claim to have FDIC insurance for its customers was false. [78] The SEC sought temporary restraining orders, asset freezes, and a receiver for AriseBank. [79]

On April 2, 2018, the SEC charged Centra Tech., Inc. and its co-founders with making a fraudulent ICO that raised more than $32 million from thousands of investors in 2017. [80] The SEC charged that the defendants falsely claimed that the coin offering, called “CTR Tokens” or “Centra Tokens,” would raise funds to build a number of financial products, and that they would offer coin holders a Visa or MasterCard debit card to facilitate conversion of cryptocurrencies into U.S. dollars or other legal tender. [81]

These two actions reveal a determination by the SEC to enforce the registration and disclosure requirements and measures of federal securities laws to deter materially deceptive or fraudulent statements made in ICOs. It is telling that of the many possible enforcement actions the SEC could have brought against ICOs, it focused its resources on two offerings that claimed business relationships with banks and payment networks operating in the traditional financial services environment. These actions suggest the SEC will not tolerate violations of key securities laws by innovators.


Although cryptocurrency users frequently rely on wallet providers and exchanges to manage their holdings, legal obligations of these intermediaries are not well defined. Complaints about exchanges and other services providers are increasing and are starting to generate litigation. [82]

Our 2017 survey covered the fight between the Internal Revenue Service and Coinbase, the largest U.S. Bitcoin exchange and wallet service, over a so-called “John Doe” subpoena seeking information on every single customer of the company who engaged in a virtual currency transaction during the years 2013–2015. [83] The court resolved the dispute by ordering Coinbase to turn over a limited amount of information about a significantly smaller group of customers. [84] The exchange must provide information on customers who annually engaged in transactions totaling at least $20,000, reducing the number of pertinent customers from millions to 14,355. [85] In addition, the information provided will be limited to name, address, date of birth, taxpayer identification number, and account activity records and statements. [86]

Coinbase suffered another legal setback related to the enforceability of its user agreement in a dispute where the exchange was sued for failure to identify and prevent fraudulent transactions. The Eleventh Circuit affirmed a district court decision [87] that Coinbase could not enforce the mandatory arbitration provisions of its agreement to stop litigation involving the failed cryptocurrency exchange Cryptsy. [88] When Cryptsy’s founder fled the country with his customers’ cash, certain users initiated a class action against the company and its founder, and the court appointed a receiver. The class and the receiver then initiated an action against Coinbase, alleging it had aided and abetted the fraud at Cryptsy and was negligent in performing certain statutorily mandated duties. [89] Thus, the district court will have to decide what, if any, responsibility a cryptocurrency exchange has to identify and stop fraud committed by its client against consumers with which the exchange has no direct relationship.

In February 2018, Ezra Sultan sued Coinbase, alleging a violation of the cybersecurity requirements under New York law. [90] Sultan alleged he gave his confidential account information to someone he thought was Coinbase’s customer service employee, but who turned out to be a hacker who used his account information to transfer cryptocurrency out of his account. [91] Sultan also alleged that the exchange processed the transfers without the “Two-Factor Authentication” code required by Coinbase policy. [92]

A March 2018 class action lawsuit alleged that Coinbase engaged in unfair business practices related to the new cryptocurrency Bitcoin Cash, which was created as a result of the hard fork of the Bitcoin blockchain, and which should have been distributed to all current holders of Bitcoin. [93] Plaintiffs contend that Coinbase wavered on whether it would support Bitcoin Cash, but then with little warning, processed some Bitcoin Cash transactions in late December 2017. [94]

Another March 2018 class action lawsuit alleged that Coinbase did not comply with California’s unclaimed property statute and that it was engaged in unfair business practices, including keeping cryptocurrency that users intended to send to third parties if the third parties never created Coinbase accounts, rather than transferring the abandoned property to the state. [95]

The lawsuits described above demonstrate that the obligations of virtual currency intermediaries are still unclear. While it does not address all of the duty issues that may apply to providers of cryptocurrency products and services discussed above, the Uniform Regulation of Virtual-Currency Businesses Act (“URVCBA”) does create a framework for regulating intermediaries engaged in holding, exchanging, or transferring virtual currencies. [96] It was approved by the Uniform Law Commission and the ABA House of Delegates as appropriate for states seeking to adopt substantive regulation of virtual-currency businesses. [97] The URVCBA requires licensure of entities engaged in virtual-currency business activity and sets out financial and operational standards, minimum security, anti-money laundering, and consumer protection requirements for such entities.


In the prior survey year, there were relatively clear steps forwards and backwards. This year’s developments affecting e-payments and e-financial services reveal the issues that regulators have with emerging products and providers’ compliance with federal and state laws without showing a clear path forward.

Steve Middlebrook has an extensive background in emerging payment technologies, prepaid and stored value products, mobile payments, web-based financial services, virtual currency and distributed ledger technology. His prior experience includes being General Counsel at two FinTech companies, and a decade’s service at the US Department of the Treasury. He also served as an advisor to the Uniform Law Commission (ULC) committee which drafted the Uniform Regulation of Virtual Currency Businesses Act. The Uniform Act was recently approved by the ULC and is now being considered for adoption by a number of states.

Tom Kierner is a transactional attorney with a background in payment systems and financial regulations. As former in-house counsel at two financial services companies, he advises his clients on the dynamic regulatory and legal landscape for FinTech and payments companies. He also assists his clients in negotiating and drafting agreements with banks, processors, and other service providers.

Sarah Jane Hughes is a University Scholar and Fellow in Commercial Law at the Maurer School of Law, Indiana University-Bloomington. She served as the Reporter for the Uniform Law Commission’s Regulation of Virtual-Currency Businesses Act (approved in 2017) and now serves as the Reporter for the Uniform Law Commission’s Uniform Supplemental Commercial Law for the Uniform Regulation of Virtual-Currency Businesses Act.


[1] See Stephen T. Middlebrook, Sarah Jane Hughes & Tom Kierner, Two Steps Forward, One Step Back: Developments in the Law Affecting Electronic Payments and Financial Services, 73 BUS. LAW. 277, 279 (2017) [hereinafter 2017 Survey] (discussing various developments in the law regarding electronic payments and financial services).

[2] Joe Adler, Decision on Fintech Charter Coming This Summer: OCC’s Otting, AM. BANKER (May 24, 2018, 4:12 PM), https://www.americanbanker.com/news/decision-on-fintech-charter-coming-thissummer-occs-joseph-otting (projecting release of the report in July 2018, but quoting Comptroller Joseph Otting as stating the bank regulator had not “decided” whether to use its chartering authority for FinTechs).

[3] Vullo v. OCC, No. 17 Civ. 3574 (NRB), 2017 WL 6512245, at *1 (S.D.N.Y. Dec. 12, 2017); see Chelsea Lamb, Stephen C. Piepgrass & Timothy Butler, Federal Court Dismisses Challenge to OCC Fintech Charter Proposal, TROUTMAN SANDERS (Dec. 13, 2017), https://www.consumerfinancialserviceslawmonitor.com/2017/12/federal-court-dismisses-challenge-to-occ-fintech-charter-proposal/ (discussing the federal court’s decision to dismiss the challenge).

[4] Conference of State Bank Supervisors v. OCC, 313 F. Supp. 3d 285, 301 (D.D.C. 2018).

[5] N.Y. COMP. CODES R. & REGS. tit. 23, pt. 200 (2017).

[6] Matthew Leising, Genesis Global Trading Granted BitLicense in New York State, BLOOMBERG(May 17, 2018, 10:04 AM), https://www.bloomberg.com/news/articles/2018-05-17/genesis-global-tradinggranted-bitlicense-in-new-york-state (discussing licensing of cryptocurrency broker, which had previously operated under BitLicense’s “safe harbor” provision).

[7] Chrisjan Pauw, BitLicense Approval Shines Fresh Light on New York-Crypto Relationship, COINTELE-GRAPH (June 1, 2018), https://cointelegraph.com/news/bitlicense-approval-shines-fresh-light-on-newyork-crypto-relationship (mentioning how few BitLicenses have been granted and describing an exodus from New York State by several crytpocurrency providers despite the state’s sizeable role in financial services).

[8] See Jen Wieczner, Inside New York’s BitLicense Bottleneck: An “Absolute Failure?,” FORTUNE(May 25, 2018), http://fortune.com/2018/05/25/bitcoin-cryptocurrency-new-york-bitlicense/ (discussing various issues concerning BitLicense applications).

[9] Decision, Order and Judgment at 2, Chino v. N.Y. Dep’t of Fin. Servs., No 101880/2015 (N.Y. Sup. Ct. Dec. 27, 2017), https://www.scribd.com/document/368347618/Court-order-on-the-case-Chino-v-New-York-Dept-of-Fin-Servs#from_embed ; Wolfie Zhao, Judge Dismisses Long-Shot Bid to Overturn New York Bitcoin Regulation, COINDESK (Jan. 3, 2018, 11:18 PM), https://www.coindesk.com/judge-dismisses-long-shot-bid-overturn-new-york-bitcoin-law/ (appending the court’s order).

[10] In a speech given on April 24, 2018, Acting Director Mick Mulvaney announced his intention to change the name of the Consumer Financial Protection Bureau to the Bureau of Consumer Financial Protection to mirror its official name in the Dodd-Frank Act. See Rachel Witkowski, Mulvaney to Drop Public Complaints Against Firms, Change CFPB Name, AM. BANKER (Apr. 24, 2018, 2:20 PM), https://www.americanbanker.com/news/mulvaney-to-drop-public-complaints-against-firms-changecfpb-name . For consistency purposes, we have continued to use Consumer Financial Protection Bureau in this survey.

[11] Prepaid Accounts Under the Electronic Fund Transfer Act (Regulation E) and the Truth in Lending Act (Regulation Z), 81 Fed. Reg. 83934 (Nov. 22, 2016) (to be codified at 12 C.F.R. pts. 1005 & 1026); see also 2017 Survey, supra note 1, at 287–88.

[12] Prepaid Accounts Under the Electronic Fund Transfer Act (Regulation E) and the Truth in Lending Act (Regulation Z); Delay of Effective Date, 82 Fed. Reg. 18975 (Apr. 25, 2017) (to be codified at 12 C.F.R. pts. 1005 & 1026); see also 2017 Survey, supra note 1, at 287–88.

[13] Rules Concerning Prepaid Accounts Under the Electronic Fund Transfer Act (Regulation E) and the Truth in Lending Act (Regulation Z), 83 Fed. Reg. 6364 (Feb. 13, 2018) (to be codified at 12 C.F.R. pts. 1005 & 1026).

[14] Id. at 6366.

[15] Id.

[16] 2017 Survey, supra note 1, at 282–83.

[17] Decision, Order & Judgment, Reardon v. Glob. Cash Card, Inc., No. 2643-17 (N.Y. Sup. Ct. May 23, 2018), 2018 BL 234642, at *7.

[18] Id. at *2, *4–5.

[19] Id. at *5–7.

[20] Jay Clayton & J. Christopher Giancarlo, Regulators Are Looking at Cryptocurrency, WALL ST. J. (Jan. 24, 2018, 6:26 PM), https://www.wsj.com/articles/regulators-are-looking-at-cryptocurrency1516836363 .

[21] Jay Clayton, Chairman, U.S. Sec. & Exch. Comm’n, Opening Remarks at the Securities Regulation Institute (Jan. 22, 2018), https://www.sec.gov/news/speech/speech-clayton-012218 .

[22] Neb. Lawyers’ Advisory Comm., Nebraska Ethics Advisory Opinion for Lawyers No. 17-03 (Sept. 11, 2017), https://supremecourt.nebraska.gov/sites/default/files/ethics-opinions/Lawyer/17-03.pdf .

[23] Id. at 1.

[24] Id.

[25] U.S. Office of Gov’t Ethics, Legal Advisory LA-18-06: Guidance for Reporting Virtual Currency on Financial Disclosure Reports (June 18, 2018), https://www.oge.gov/web/oge.nsf/All+Advisories/8B9F1457621B11B7852582B00048F870/$FILE/LA-18-06.pdf .

[26] Id. at 2–3.

[27] Id. at 3–4.

[28] Memorandum from the U.S. House of Representatives Comm. on Ethics to All House Members, Officers & Emps. at 1 (June 18, 2018) [hereinafter House Ethics Memo], https://ethics.house.gov/sites/ethics.house.gov/files/Cryptocurrencies%20Pink%20Sheet.pdf (addressing the subject of “Cryptocurrencies: Financial Disclosure Requirements and Other Ethics Ramifications”).

[29] Id. at 3–4; Stop Trading on Congressional Knowledge Act, Pub. L. No. 112-105, § 12, 126 Stat. 291, 300 (2012) (codified as amended at 15 U.S.C. § 78u-1 (2018)) (prohibiting covered employees from purchasing securities in an IPO in any manner that is not available to the general public).

[30] House Ethics Memo, supra note 28, at 4.

[31] Id. at 5–6 (quoting H.R. Rule 25, cl. 4(d)(1) (Jan. 6, 2015)).

[32] Consent Order, In re Conduent Bus. Servs., LLC, No. 2017-CFPB-0020 (Nov. 20, 2017) [hereinafter Conduent Consent Order], https://www.consumerfinance.gov/documents/5856/cfpb_conduent-business-services_consent-order_112017.pdf .

[33] Id. at 1–2.

[34] Id. at 10–11.

[35] Id. at 10.

[36] Id. at 10–11.

[37] Id. at 6. Under the Consumer Financial Protection Act, the CFPB has jurisdiction over entities that offer or provide consumer financial products or services (i.e., “covered persons”), 12 U.S.C. § 5481(6) (2018), and also over entities that provide a material service to a covered person, including entities that participate in “designing, operating, or maintaining the consumer financial product or service” (i.e., “service providers”), id. § 5481(26)(A).

[38] Conduent Consent Order, supra note 32, at 18.

[39] Id. at 20–26.

[40] Decision and Order, In re PayPal, Inc., No. C-4651 (F.T.C. May 23, 2018) [hereinafter PayPal Consent Order].

[41] Press Release, Att’y Gen. of Tex., Attorney General Ken Paxton Announces Agreement to Protect Consumers; Reform Privacy and Security Practices with PayPal (May 20, 2016), https://texasattorneygeneral.gov/news/releases/attorney-general-ken-paxton-announces-agreement-protectconsumers-reform-privacy-and-security .

[42] Complaint at 1, In re PayPal, Inc., No. C-4651 (F.T.C. May 23, 2018); see FTC Act, 15 U.S.C.

§§ 41–58 (2018); GLBA, 15 U.S.C. §§ 6801–6809 (2018); 12 C.F.R. pt. 1026 (2018); 16 C.F.R. pt.

314 (2018).

[43] Complaint at 13, In re PayPal, Inc., No. C-4651 (F.T.C. May 23, 2018).

[44] Id. at 2.

[45] Id. at 3–4

[46] Id. at 4.

[47] Id.

[48] Id. at 7.

[49] Id.

[50] Id. at 7–8.

[51] Id. at 9.

[52] Id. at 9–10.

[53] Id. at 14–15.

[54] Id. at 15.

[55] PayPal Consent Order, supra note 40, at 3–8.

[56] Order for Restitution & Order to Pay Civil Money Penalty, In re Bancorp Bank, No. FDIC-18-0008b (Mar. 7, 2018) [hereinafter Bancorp Order], https://www.fdic.gov/news/news/press/2018/pr18019a.pdf .

[57] Id. at 1.

[58] Cardholder Agreement at 5–6 & n.4, The Bancorp Bank (June 2014), https://www.excellacard.com/assets/pdf/Cardholder_Agreement_InStore_ENG.pdf (establishing rules for cards

obtained in-store); Cardholder Agreement at 5–6 & n.4, The Bancorp Bank (Sept. 2014), https://www.excellacard.com/assets/pdf/Cardholder_Agreement_Online_ENG.pdf (establishing rules for cards

obtained online).

[59] Bancorp Order, supra note 56, at 1–2; see Electronic Fund Transfer Act, 15 U.S.C. §§ 1693–1693r (2018); Truth in Savings Act, 12 U.S.C. §§ 4301–4313 (2018); Electronic Signatures in Global and National Commerce Act, 15 U.S.C. §§ 7001–7006 (2018).

[60] Bancorp Order, supra note 56, at 7; Press Release, Fed. Deposit Ins. Corp., FDIC Announces Settlement with the Bancorp Bank, Wilmington, Delaware, for Unfair and Deceptive Practices (Mar. 7, 2018), https://www.fdic.gov/news/news/press/2018/pr18019.html (announcing restitution sum).

[61] Press Release, Fed. Trade Comm’n, FTC Charges Lending Club with Deceiving Consumers (Apr. 25, 2018), https://www.ftc.gov/news-events/press-releases/2018/04/ftc-charges-lending-clubdeceiving-consumers .

[62] Complaint at 24–25, FTC v. LendingClub Corp., No. 3:18-cv-02454 (N.D. Cal. Apr. 25, 2018), https://www.ftc.gov/system/files/documents/cases/lending_club_complaint.pdf. LendingClub Corporation does business as Lending Club. Id. at 3.

[63] Id. at 8.

[64] Id. at 8–9.

[65] Id. at 9.

[66] Id. at 10.

[67] Id. at 18.

[68] Id.

[69] Id. at 12.

[70] Id. at 21–22.

[71] Id.

[72] Defendant’s Notice of Motion, Motion to Dismiss Plaintiff’s Complaint & Memorandum in Support Thereof at 12–18, FTC v. LendingClub Corp., No. 3:18-cv-02454 (N.D. Cal. June 18, 2018), https://dlbjbjzgnk95t.cloudfront.net/1055000/1055211/https-ecf-cand-uscourts-gov-doc1-035116851943.pdf .

[73] Id. at 12, 20–24.

[74] Shane Shifflett & Coulter Jones, Buyer Beware: Hundreds of Bitcoin Wannabes Show Hallmarks of Fraud, WALLST. J. (May 17, 2018, 12:05 PM), https://www.wsj.com/articles/buyer-beware-hundredsof-bitcoin-wannabes-show-hallmarks-of-fraud-1526573115 .

[75] Complaint, SEC v. AriseBank, No. 3:18-cv-00186-M (N.D. Tex. Jan. 25, 2018), https://www.sec.gov/litigation/complaints/2018/comp-pr2018-8.pdf .

[76] Id. at 2.

[77] Id.

[78] Id.

[79] Id. at 2–3.

[80] Complaint at 1–2, SEC v. Sharma, No. 1:18-cv-02909 (S.D.N.Y. Apr. 2, 2018), https://www.sec.gov/litigation/complaints/2018/comp-pr2018-53.pdf .

[81] Id. at 2–3.

[82] See Cyrus Farivar, Angry Coinbase Users Sue over Claimed Security Failings, Insider Trading, ARS-TECHNICA (Mar. 5, 2018, 3:08 PM), https://arstechnica.com/tech-policy/2018/03/angry-coinbaseusers-sue-over-claimed-security-failings-insider-trading/ ; Jack Morse, SEC Documents Detail Scores of Fraud Allegations Against Coinbase, MASHABLE (June 20, 2018), https://mashable.com/2018/06/20/sec-coinbase-complaints-fraud .

[83] 2017 Survey, supra note 1, at 281–82.

[84] Order re Petition to Enforce IRS Summons, United States v. Coinbase, Inc., No. 3:17-cv01431-JSC (N.D. Cal. Nov. 28, 2017), https://www.scribd.com/document/365954979/365893210-US-v-Coinbase-Order .

[85] Id. at 3, 14.

[86] Id. at 11.

[87] Leidel v. Coinbase, Inc., No. 16-81992-CIV-MARRA, 2017 WL 2374269 (S.D. Fla. June 1, 2017), aff’d, 729 F. App’x 883 (11th Cir. 2018) (per curiam).

[88] Leidel v. Coinbase, Inc., 729 F. App’x 883 (11th Cir. 2018) (per curiam).

[89] Id. at 885.

[90] Complaint, Sultan v. Coinbase, Inc., No. 1:18-cv-00934-FB-ST (E.D.N.Y. Feb. 13, 2018), https://www.courtlistener.com/recap/gov.uscourts.nyed.413134/gov.uscourts.nyed.413134.1.0.pdf (citing N.Y. COMP. CODES R. & REG. tit. 23, pt. 200 (2017)).

[91] Id. at 3–4.

[92] Id. at 4–5.

[93] Class Action Complaint at 1–3, Berk v. Coinbase, Inc., No. 4:18-cv-01364-KAW (N.D. Cal. Mar. 1, 2018), https://images.law.com/contrib/content/uploads/documents/403/11288/CoinbaseComplaint.pdf .

[94] Id. at 3–4.

[95] Class Action Complaint at 1–2, Faasse v. Coinbase, Inc., No. 3:18-cv-01382-DMR (N.D. Cal. Mar. 2, 2018), https://restislaw.com/wp-content/uploads/2018/03/Faasse-v-Coinbase-Complaint-1.pdf (citing CAL. BUS. & PROF. CODE §§ 17200–17210 (Deering 2007 & Supp. 2017); CAL. CIV. PROC. CODE §§ 1500–1582 (Deering 2014 & Supp. 2017)).

[96] UNIF. REGULATION OF VIRTUAL-CURRENCY BUS. ACT (UNIF. LAW COMM’N 2017), http://www.uniformlaws.org/shared/docs/regulation%20of%20virtual%20currencies/URVCBA_Final_2017oct9.pdf .

[97] Press Release, Unif. Law Comm’n, ABA Approves Five New Uniform Acts (Feb. 6, 2018), http://uniformlaws.org/NewsDetail.aspx?title=ABA%20Approves%20Five%20New%20Uniform%20Acts .