Globally, the crypto industry is still unravelling the collapse of FTX. While it prima facie appears to be a case of inexperience and poor governance - to a point of being criminal, this article discusses what could be the key takeaways for regulators of the crypto industry. There are also growing voices to ban crypto trade outright, but that would be a case of throwing the baby out with the bath water. Instead, there should be learnings on how to regulate a technology industry which is not limited by international boundaries and has benefits for the future. In fact, cross border regulation of technology is here to stay and sooner we gear up, better for us all.

FTX, founded in 2019 by Sam Bankman-Fried ("SBF") and Gary Wang, operated as one of the largest crypto currency exchange platforms globally. The exchange, ftx.com, operated from the Bahamas, and targeted customers globally. A separate platform, ftx.us, targeted US customers.

John. J Ray III, the CEO of FTX appointed to oversee the bankruptcy procedures (incidentally he also over saw the Enron bankruptcy) - in his Declaration filed before the United States Bankruptcy Court stated as follows:

"5. Never in my career have I seen such a complete failure of corporate controls and such a complete absence of trustworthy financial information as occurred here. From compromised systems integrity and faulty regulatory oversight abroad, to the concentration of control in the hands of a very small group of inexperienced, unsophisticated and potentially compromised individuals, this situation is unprecedented."

The fungible nature of crypto currencies, coupled with the ease of cross border transfers, and a complex web of inter-related companies incorporated in multiple jurisdictions have reduced individual regulators overall visibility on the activities carried out in global exchanges like FTX.

While there are other immediate factors such as - the huge trading losses in Alameda Research (a FTX related entity apparently run by SBF's girlfriend) and the arguably astute and (un)timely moves by FTX's largest rival, Binance, who dumped 2 billion USD worth FTT tokens - this article primarily focuses on the regulatory aspects of the collapse.

INTERNATIONAL NATURE OF OPERATIONS AND NATIONAL GOVERNANCE – REGULATORY ARBITRAGE:

First and foremost a complex web of inter-related companies in the FTX group made it difficult for individual regulators to fully comprehend, and appropriately assess the business. Couple this with the fact that the crypto industry was a new type of industry and no one jurisdiction had the entire suite of laws required to legislate its complexities. In fact, many jurisdictions, including the US had adopted a "light handed" regulatory approach to let the industry develop.

Reportedly, the FTX group comprised of about 130 companies incorporated in over more than 15 jurisdictions. The main entity was governed under the laws of the state of Bahamas. However, the dealings, especially the related party transactions were with entities around the globe. A shrewd software fix to conceal related party transfers, lack of comprehensive and sophisticated provisions pertaining to related party transactions and even worse enforcement - left a gaping hole which was visible to no one singular regulator who had the entire line of sight.

The regulators in the Bahamas were seemingly lax and failed to track the massive extent of the related party transactions. Apparently, SBF had created a "back door" in FTX's books, and he could make changes to the company's financial records without flagging the transactions either internally or externally. By hindsight it is now clear that an un-sophisticated jurisdiction cannot house the main business of a global exchange. Regulation of the core operating company has to be robust, ongoing and reliable. Clearly FTX Bahamas was operating in the twilight of regulation – its network of companies provided limited oversight in each jurisdiction in which it operated.

A possible approach for the future is that the jurisdiction with the largest consumer exposure can establish an end-to-end regulatory oversight as a pre-condition to permitting access to the market. Already in India, the equalization levy seeks to tax a business when the revenues are derived from India, even though they are not 'operating' in India. Similarly, if most of the investors are from India, even though the exchange is located elsewhere – there could be a 'long-arm statute' asserting jurisdiction.

PROTECTION OF CUSTOMER DEPOSITS/FUNDS – INTERNATIONAL COOPERATION:

As per the Declaration made by John J. Ray III, it is understood that customer funds were mishandled by FTX and were also used for related party transactions. Predictably, the FTX Terms of Service stated that the digital assets traded on or deposited within users accounts was solely the property of the users/customers and FTX had no right of the same. However, in reality the customer cryptos were being liberally loaned to FTX related companies and eventually were never paid back.

By way of a learning – there was absolutely no internal oversight or external audit on operations which ought to have flagged off such irregularities early. Other than self-serving assurances no one seemed to have any eye on this appropriation of customer funds. Given that these assets were owned by investors in multiple jurisdictions, no one regulator was protecting the consumers.

Perhaps a structure akin to what is stated in the Financial Action Task Force ("FATF") report dated October, 2021 Updated Guidance for a Risk-Based Approach to Virtual Assets and Virtual Assets Service Providers, (FATF is the inter-governmental body that tracks cross border terrorist financing and money laundering activities) may be the norm in the future to protect a diverse and global customer base.

The FATF report lays down the following to detect irregular behaviour and report suspicious transactions of crypto intermediaries: (i) technological features that increase anonymity; (ii) geographical risks – countries with weak, or absent, national measures for cryptocurrencies; (iii) transaction patterns – including transactions which are structured to avoid reporting or appear irregular, unusual or uncommon; (iv) transaction size – if the amount and frequency has no logical business explanation; (v) sender or recipient profiles; and (vi) source of funds. With suitable modifications to track and lock genuine investor virtual assets into a particular jurisdiction, this will prevent illegal tapping into private accounts.

Also relevant from a regulatory and reporting perspective, reference is made to the Crypto Asset Reporting Framework ("CARF"), published by the Organisation for Economic Co-operation and Development ("OECD") in October, 2022. CARF is a global tax transparency framework which provides for the automatic exchange of tax information on transactions in crypto assets in a standardised manner with the jurisdictions of residence of taxpayers on an annual basis. While this automatic exchange of information is designed to prevent tax evasion, such a framework can be effective for exchange of information pertaining to ownership of crypto transfers in multiple jurisdictions. The CARF also consists of rules and commentary that can be the basis for jurisdictions to frame domestic policies in relation to crypto transactions applicable to crypto intermediaries. These rules and commentary have been designed around four key building blocks: (i) scope of crypto-assets to be covered; (ii) entities and individuals subject to data collection and reporting requirements (iii) transactions subject to reporting; and (iv) due diligence procedures to identify crypto-asset users and controlling persons and to determine the relevant tax jurisdictions for reporting and exchange purposes.

STRICT MONITORING OF RELATED PARTY TRANSACTIONS:

Many of the companies in the FTX group, did not have appropriate internal corporate governance and, in fact, never conducted board meetings and appointed independent directors. As stated in the Declaration by John J. Ray III, the FTX group did not maintain appropriate books and records with respect to digital assets held by them on behalf of users. The overall management and control of the FTX group companies was concentrated in the hands of a small group of inexperienced people, with compromised integrity of systems.

In the facts of the FTX case – group companies engaged in several related party transactions. In terms of the Declaration, inter-company accounts receivables, loans payables and loans receivable were not reported in the financial statements of the FTX group companies. The "back-door" mechanism in the exchange software prevented this from being flagged off by the systems. Stringent disclosure and reporting requirements were not followed at all, and in fact information was knowingly suppressed.

This breach necessarily needs a strong local regulator and high audit standards.

In India, the Companies Act, 2013 and related audit standards for related party transactions are best in class; though suitable amendments to account for the speed of crypto transfers will need to be introduced. The Ministry of Corporate Affairs in India, has also mandated the reporting of details of virtual currency transactions by companies - this is in terms of Notification No. G.S.R. 207(E) dated 24th March, 2021 (applicable w.e.f. 1st April, 2021), under Schedule III of the Companies Act, 2013 - Part – II – Statement of Profit and Loss - General Instructions for Preparation of Statement of Profit and Loss.

SPECIFIC REGULATIONS FOR CENTRALISED EXCHANGES:

Centralised Exchanges ("CEXs") are owned, operated, and managed by a single entity who owns the crypto exchange and generally maintains off-chain records of orders posted by traders. Whereas Decentralised Exchanges ("DEXs") allow crypto traders to buy and sell cryptocurrencies without intermediaries. In terms of the Declaration made by John. J Ray III, one of the key reasons for failure of FTX was centralised management of the custody of digital assets of the customers by FTX. The management practices at FTX revealed that there was absence of daily reconciliation of positions on the blockchain, use of software to conceal misuse of customer funds (the "back door"), use of an unsecured group email account to access confidential and critically sensitive data and absence of independent governance. CEXs act as intermediaries and hence have the ability thereof to control all operations relating to trade in crypto.

As all exchanges in the financial world, CEXs dealing in crypto need to use cutting edge technologies to track, trace and report transactions, and regulators of such exchanges in turn need to develop systems which can flag off discrepancies on a real time basis, even as they develop sophisticated early warning tools. From a technology perspective, while the key elements of the crypto ecosystem are automated protocols on blockchain and being decentralized in nature, the need for governance of the crypto ecosystem must have a centralized system of monitoring – a transborder data network is required to track transactions.

MANAGEMENT ACCOUNTABILITY:

In innovative sectors, entrepreneurs are often young and inexperienced. However, when matters involve public money, regulators would do well to prescribe certain statutory roles within companies who are able to assess, monitor and are responsible for risk reporting. However, care must be taken to ensure that innovation is not thwarted by prescribing onerous risk limits. A combination of inexperience, bravado and complete criminal lack of respect for risk, led to the loss of billions of dollars in FTX. It is not the personal wealth of the founders, but the public money that needs to be protected.

Any enterprise that takes public monies, should be governed by statutes which prescribe certain statutory positions within the management structure. Resignations from these statutory posts should be subject to disclosed reasons and scrutiny/verification by regulators.

FTX COLLAPSE: WHERE DOES INDIA STAND?

The FTX crash is already having a ripple effect on the global crypto industry, and the Indian crypto traders are not insulated from this shock. In light of the FTX crash, several Indian crypto exchanges and investment platforms have issued statements which declare that they maintain the required cash reserves against the cryptocurrencies issued by them, which are ultimately held by them as custodian of the users.

Till date there has been no formal oversight of the crypto industry in India; albeit through other agencies such as the Enforcement Directorate ("ED") the government has kept an oversight.

Additionally, the Reserve Bank of India ("RBI") has been regularly issuing precautionary statements when dealing in crypto related transactions to ensure that the users and crypto exchanges are aware of the volatility and risks involved therein. There is also a growing voice to outlaw crypto trade in India - which is the easiest option but would be unfortunate. Key learnings from the FTX collapse should be considered by the policy makers to frame crypto regulations. The existing regulatory and tax framework and the proactive approach of supervisory bodies like the ED, RBI may help mitigate irregular practices in the crypto industry. Nevertheless, a central regulation which would govern the trade of cryptocurrencies and its finer nuances is long awaited and would definitely be welcomed by the crypto industry in India. Also, there must be no overlap of regulators and either the RBI or Securities Exchange Board of India ("SEBI") needs to take control. As India seeks to be a financial power center, the ability to trade and transact in cryptocurrencies within the jurisdiction, a well-defined and regulated network is a must.

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.