Grewal V. Grewal: What Coinbase’s GC Should Expect from the SEC’s Enforcement Director

By | August 8, 2022

Paul Grewal, chief legal officer of Coinbase, and Gurbir Grewal, Director of the SEC’s Enforcement Division, each have a lot on their plate.

Paul leads the legal team for Coinbase, the most popular U.S. platform for buying, selling, transferring, and storing digital currency; and whose mission is “to create an open financial system for the world and to be the leading global brand for helping people convert digital currency into and out of their local currency.”

Gurbir leads the enforcement team of the U.S. Securities and Exchange Commission (SEC), the world’s most well-known securities regulator, whose mission is “to protect investors, maintain fair, orderly, and efficient markets, and facilitate capital formation.”

For the second time, Paul and Gurbir’s two worlds have collided. The first time Paul and Gurbir came to figurative blows was when the SEC sent Coinbase a “Wells Notice,” stating that the SEC planned to charge Coinbase for securities violations relating to Coinbase’s planned offering of a crypto-lending program called Lend (more on that skirmish later).

The second time relates to a recent Bloomberg report that the SEC is investigating whether Coinbase improperly let U.S. investors trade digital assets that should have been registered as securities. That report came on the heels of the announcement of a criminal prosecution by the U.S. Department of Justice (DOJ) together with an SEC enforcement action against former Coinbase product manager Ishan Wahi, his brother and his friend.

The SEC and DOJ allege that Wahi knew which assets Coinbase was planning to list and the timing of those announcements — and tipped his brother or his friend ahead of those listings so that they could place trades and profit ahead of the announcements. The SEC alleges that the three men purchased “at least 25 crypto assets, at least nine of which were securities,” and the trio allegedly generated nearly $1 million in profits over 10 months.

Of note is that the SEC did not charge Coinbase with operating an unlicensed exchange, leading some experts to wonder how the SEC could charge individuals with violating the securities laws while Coinbase, the exchange that listed the assets, escaped scrutiny.

“We are not concerned with labels, but rather the economic realities of an offering,” said Gurbir at the time, “In this case, those realities affirm that a number of the crypto assets at issue were securities, and, as alleged, the defendants engaged in typical insider trading ahead of their listing on Coinbase.

The SEC’s investigation of Coinbase should come as no surprise. Having worked in the SEC Enforcement Division for almost 20 years, I predicted SEC scrutiny of crypto-trading platforms in several articles, including one dating back in 2018. More importantly, SEC Chair Gary Gensler has also broadcast a range of warnings that if not registered, crypto trading platforms could be operating unlawfully if they serve U.S. customers. In fact, the Coinbase investigation may just be the tip of the iceberg. According to a recent Forbes report, a staffer from U.S. Senator Cynthia Lummis’ office claims that every U.S. crypto exchange, including Binance, are in various stages of SEC investigation.

Given that the SEC will never comment on even the existence of an investigation, let alone the substance of it, Coinbase and the rest of the crypto ecosystem are left to guess what the SEC has in store. This article offers some guidance for Paul not just on what to expect from Gurbir but also the best way for Coinbase to defend itself from an incoming SEC investigatory onslaught.

“Altcoins” at Coinbase

By way of background, shortly after Coinbase went public, the company added more than 100 new tokens, referred by some as “altcoins,” (also called by many more as, pardon the expression,  “shitcoins”). Typically lightly traded and extremely volatile, altcoins are easily susceptible to manipulation, hacks and other chicanery and rug-pulls. Altcoins are especially vulnerable to insider trading because, upon their sudden placement (i.e. going public) on a platform like Coinbase, they typically jump in price.

Per Bloomberg, the alleged insider trading at Coinbase involved altcoins and was evidently first spotted by crypto influencer, Jordan Fish. On April 12, 2022, Fish, who tweets under the pseudonym Cobie (short for Crypto Cobain), observed and posted about suspicious trading activity in altcoins apparently catching the attention of federal prosecutors who tied the trading to Wahi. Fish had reportedly been complaining publicly for months about insider trading on Coinbase.

Along these lines, critics such as bitcoin analyst Sam Callahan have observed a pattern in which Coinbase promotes exceedingly volatile currencies to customers, who seem to be engaging in their own private pump-and-dump scheme. For instance, per Callahan, Coinbase touted Axie Infinity, the troubled crypto video game, just before its parent company was hacked and saw its token price crash. To make matters worse, Axie Infinity’s CEO reportedly made a $3 million transfer of AXS tokens to Binance before it disclosed the $622 million Ronin hack to the public. Around the same time, a Coinbase Twitter account was promoting Luna, the “stablecoin” project that subsequently went bust, losing over $40 billion in value, and now completely worthless.

Meanwhile, tens of thousands of crypto investors (perhaps even more) have experienced financial ruin from crypto investments, with little hope for any recovery. Just a few examples: Terra Luna has lost $60 billion of investor money and is now practically worthless; Three Arrows Capital went from $10 billion in crypto-assets to bankruptcy; Voyager has filed for bankruptcy and owes $1.3 billion to 100,000 creditors; and Celsius Networks has filed for bankruptcy, going from a $25 billion valuation to $167 million and owing over 100,000 creditors.

Coinbase is a Public Company

What most analysis of the SEC’s investigation of Coinbase have missed is the unique nature of the SEC’s jurisdiction. The SEC probe of Coinbase is likely vast and infinite in an unusual way.

First off, the SEC is looking for fraud, market manipulation, insider trading, registration failures, and other securities violations relating to Coinbase’s crypto-trading platform. But there is likely a second and equally targeted SEC realm of inquiry, which Coinbase has probably never experienced before.

Given that Coinbase is also a U.S. public company that submits quarterly, annual, and other filings to the SEC, the SEC is also likely investigating the accuracy of those filings.

For instance, the SEC could investigate the possibility of any false or misleading statements in Coinbase’s SEC filings or any internal controls or books and records failures. Along these lines, the SEC could subpoena for testimony any person formerly or currently working at Coinbase and subpoena for production any email, text, or other document in Coinbase’s possession.

And, per the SEC’s Routine Uses of Information (Form 1662), whatever the SEC uncovers will undoubtedly be shared with FBI agents and DOJ prosecutors working on the related criminal prosecution, as well as any other agency the SEC deems appropriate for sharing.

The SEC staff could even recommend that the FBI conduct a search warrant if the SEC suspects destruction of documents or other evidence. The SEC could also refer for criminal prosecution any witness who the SEC believes is misleading the SEC staff (by act or omission); destroying, or causing to be destroyed, documents, texts, emails, etc.; or taking any other action that the SEC considers at all suspicious.

With the exception of grand jury information, which is secret and generally cannot be shared with the SEC, the SEC, FBI and DOJ are likely in constant contact, sharing information, theories and findings.

Coinbase Potential Disclosure Failures

Although news of the SEC investigation of Coinbase triggered a 21% drop in its stock price, Coinbase has still failed to disclose with some level of precision what is actually going on.

Even worse, Coinbase’s previous SEC disclosures relating to litigation seem not only poorly drafted, but arguably misleading. Here are some samples from their most recent 10-Q, filed in May:

“We are subject to regulatory oversight by numerous state, federal, and foreign regulators and we are and we may become subject to various legal proceedings, inquiries, investigations, and demand letters that arise in the course of our business.”

“The company has received investigative subpoenas from the SEC for documents and information about certain customer programs, operations, and intended future products, including the companies stable coin and yield generating products. Based on the ongoing nature of this matter, the outcome remains uncertain and the company cannot estimate the potential impact, if any, on its business or financial statements at this time.”

“We are and may continue to be subject to material litigation, including individual and class action lawsuits, as well as inquiries, investigations and enforcement actions by regulators and governmental authorities.”

“A particular crypto assets status as a “security“ in any relevant jurisdiction is subject to a high degree of uncertainty and if we are unable to properly characterize a crypto asset, we may be subject to regulatory scrutiny, inquiries, investigations, fines, and other penalties, which may adversely affect our business, operating results, and financial condition.”

These disclosures seem oddly vague, obtuse, and opaque. The company has been public for just over a year and already the investigations of its operations are too numerous to mention by name or describe with particularity?

Moreover, DOJ just brought an unprecedented and massive insider trading case involving Coinbase, and shareholders have a right to know from Coinbase what’s really going on with the litany of Coinbase-related investigations.

This may seem picayune but even a small sentence, buried in pages of boilerplate language, can trigger an SEC enforcement action. That’s what happened to Pearson PLC, a London-based publisher who experienced a 2018 cyber-attack. The SEC sued Pearson because, among other things, in its semi-annual report, Pearson referred to a data privacy incident as a hypothetical risk, when, in fact, a cyber-attack had already occurred.

Coinbase’s C-suite and Board

Coinbase’s Board should also prepare itself for heightened SEC enforcement scrutiny. For instance, certain Coinbase board members also work within the crypto industry and could have some ties to various tokens, which were added to the Coinbase platform.

Given the incestuous nature of companies within the crypto industry, the SEC will likely probe whether any Coinbase board member: 1) Benefitted from tokens added to the Coinbase platform or any other of Coinbase’s projects and activities; or 2) Failed to disclose any conflicts of interest in SEC filings.

Generally speaking, a conflict of interest is a situation in which a Coinbase board member or one of their family members has a personal or financial interest that compromises or could compromise the board member’s independence of judgment in exercising his or her responsibilities to Coinbase.

Conflicts of interest raise governance, tax, and regulatory issues for board members. They also raise concerns in the mind of the public and members of the media, potentially undermining the organization’s reputation and good standing.

For instance, whether or not a security, if Coinbase decides to make a digital asset available for trading, the listing can have a significant impact on the price and liquidity of that asset, especially on its first day. Thus, if board members or their family members have any sort of financial interest in a digital asset that Coinbase plans to list, then that relationship should be disclosed to shareholders or perhaps even prohibited altogether.

Coinbase Fights Back (And Misses)

What is not surprising about the SEC investigation of Coinbase, is Coinbase’s antagonistic and combative investigatory (pre-litigation) defense posture. This has become the childish and ill-advised modus operandi of many members in the “Big Crypto Cartel.”

The characteristically belligerent approach is pretty much always the same: Rally online supporters and investors with inflammatory misinformation and anti-government rhetoric in an attempt to bully the SEC into moving on.

For instance, in response to Bloomberg’s reporting of the investigation, Paul Grewal immediately posted: “We are confident that our rigorous diligence process — a process the SEC has already reviewed — keeps securities off our platform.” Grewal also blogged that since DOJ chose not to file securities fraud charges, despite reviewing the same facts as the SEC, then that must mean that the SEC has no case. Both of Paul Grewal’s assertions are dead wrong.

First off, Coinbase is not a registered financial firm and no SEC division or office approved their processes. And even if Coinbase were registered as a broker-dealer or investment advisor, the SEC does not approve or disapprove core operations. Rather, the SEC Division of Examinations inspects SEC registered entities for compliance with securities statutes, rules and regulations, and if appropriate, writes deficiency letters; refers potential violations to the SEC Enforcement Division, FINRA or elsewhere; or takes other action as necessary.

Second, concluding that a lack of DOJ’s charges somehow provides a defense to SEC charges is misguided to say the least. Of course, DOJ’s charges carry a higher burden of proof and DOJ’s insider trading theory is streamlined, resting on wire fraud charges only. But there may be good reason for DOJ’s discretion that has little or nothing to do with the merits of any SEC case.

Indeed, the SEC often charges securities fraud parallel to DOJ’s charging of mere fraud for a variety of easily understandable reasons, including:

  • By charging mere fraud, and not adding a charge of securities fraud, DOJ avoids altogether having to prove that the alleged insider trading involved securities, making their jobs a lot easier;
  • Whether the defendants are convicted of merely fraud or of fraud AND securities fraud, a judge will likely order very similar criminal sentences;
  • Criminal fraud charges are “cleaner” without the securities-related allegations, creating a simpler message for jurors;
  • Avoiding securities fraud charges makes the DOJ indictment less redundant and less confusing — averting defenses that the case is “over-charged;”
  • By charging solely fraud, DOJ prosecutors avoid becoming overwhelmed by defense counsel motions about securities regulatory history and precedent;
  • By leaving securities fraud charges to the SEC, DOJ not only “delegates” issues relating to financial penalties, disgorgement and other equitable remedies to the expertise of the SEC, but DOJ also leaves it for the SEC to administer the post-conviction collection and distribution of financial penalties and disgorgement after prevailing; and
  • Most DOJ prosecutors are not securities lawyers and will try to leverage SEC expertise whenever possible, leaving the more technical securities fraud charges to SEC specialists.

In addition, the SEC, a civil enforcement agency and the DOJ, a criminal prosecutorial agency, have entirely different objectives and processes. Hence, communication between the SEC and DOJ is often a one way street, with the SEC typically providing a steady flow of information to DOJ, but for a variety of critical reasons (secret grand jury info, undercover operations, search warrants, etc.), DOJ providing very little information to the SEC in return.

Thus, it is quite possible that the SEC received a call from DOJ informing the SEC that the DOJ planned to announce their case on insider trading shortly — and the only part of the SEC’s case that was ready for filing related to the insider trading charges. In fact, the SEC may have simply planned to file its enforcement action against Coinbase on a later date, when the SEC had their ducks in a row i.e. the investigatory record and findings were 100% ready for filing.

The Problem with the Big Crypto Playbook

Coinbase’s SEC defense playbook of distort and intimidate is not original. For instance, in the SEC enforcement action involving Ripple, Ripple’s defense team created such a dangerous online mob that the Judge ordered the SEC to redact personal info relating to an SEC expert because threats to the expert had become so severe.

Moreover, this is not the first time Coinbase has battled the SEC with grandiloquence and bluster. Last year, Coinbase launched a similar PR campaign about their planned Lend crypto-program. The Lend spat started when the SEC staff served Coinbase with a Wells Notice alleging Lend to be an unregistered securities offering.

Coinbase impudently responded to the SEC’s Wells Notice with a blog posting by its GC decrying the SEC’s actions as stifling innovation, and a Twitter thread by its CEO dubbing the SEC’s behavior “sketchy.”

The SEC’s response to Coinbase’s bravado at the time? Just like the response to Coinbase’s announcement of its most recent defenses — radio silence. But within a few days, Coinbase shut down Lend, raising a flag of surrender.

Coinbase has already began a multi-faceted “offensive” defense strategy to the SEC investigation, filing a petition for rule making with the SEC so the crypto securities market has a chance to develop. Paul Grewal noted at the time of the petition’s filing (which fell on the same day of the Bloomberg report of the SEC investigation), “We worry that today’s charges suggest the SEC has little interest in this most fundamental role of regulators.”

Along these lines, it is important to note that SEC investigations are generally conducted on a confidential basis to maximize their effectiveness and protect the privacy of those involved. Because SEC investigations are generally nonpublic, the SEC will not confirm or deny the existence of an investigation unless the SEC brings charges against a person or entity involved. The SEC also will not provide updates on the status of any pending SEC investigation.

Hence, SEC staff will never respond in public to Coinbase’s bluster and bravado unless litigation begins. However, in private, within the corridors of SEC headquarters, the SEC staff will likely respond in their own way, typically by conducting their investigation even more intensely.

Regulation by Enforcement: A Losing Defense Strategy

In a rare rebuke of a sister agency, Commissioner Caroline Pham of the U.S. Commodity Futures Trading Commission (CFTC) issued a public statement criticizing the Wahi insider trading charges as “a striking example of “regulation by enforcement.”

Pham’s criticism echoed similar condemnations by SEC Commissioner Hester Peirce who frequently invokes the same argument, even Tweeting along those lines when the SEC announced the creation of an expanded crypto enforcement unit, stating: “The SEC is a regulatory agency with an enforcement division, not an enforcement agency. Why are we leading with enforcement in crypto?”

Peirce, dubbed “Crypto mom” by the media, is not only a frequent crypto-promoter but also a frequent SEC-basher, and is likely a powerful ally for Coinbase within the secret chambers of the SEC’s closed commission meeting room. Hence, Coinbase is likely to lead with the argument  that the SEC is regulating by enforcement, in an effort to rally Peirce, Pham and other internal SEC sympathizers for their cause.

But Coinbase should not bother with such a tired 30-year old pivot and refrain. Litigation and SEC enforcement is actually how securities regulation works. The flexibility of SEC statutory weaponry is an SEC hallmark, enabling SEC enforcement to keep fraud in check.

In 1998, when the SEC Office of Internet Enforcement was created, critics harped on the same humdrum of complaint, i.e. that the vagueness of SEC regulation; the lack of clarity about what is a security; and “regulation via SEC enforcement” would stifle the growth of the Internet.

In response, I co-authored an article entitled, “The SEC’s Statutory Weaponry to Combat Internet Fraud,” laying out the SEC’s crucial common sense strategy of ramped-up Internet-related enforcement efforts. My thesis then was nothing new. The same notions had already been championed by:

1) Famed Georgetown Law School professor Donald Langevoort in: “Rule 10b-5 as an Adaptive Organism;” and

2) Legendary SEC Enforcement director Bill McLucas and SEC staffer Mark Lewis in: “Common Sense, Flexibility and Enforcement of the Securities Laws.”

In hindsight, relying upon the flexibility of securities regulation to police the Internet cleared out the more egregious instances of early online securities fraud. Moreover, vigorous online SEC enforcement efforts also paved the way for legitimate fintech innovations to flourish, rendering markets more efficient and transparent, thereby allowing investors more opportunities for success.

From policing foreign bribery payments (before the Foreign Corrupt Practices Act), to municipal securities fraud, to derivatives and insider trading, to prime bank frauds, the SEC has addressed emerging issues without the benefit, or the hinderance, of precise proscriptions. Instead, the SEC has relied on the general proscriptions contained in the federal securities laws and applied them practically and with common sense.

With every new high-tech advancement, those whose behavior was questioned have quipped: “Where is it specifically written that this behavior is illegal?” If there is no blackletter rule, they argue, the government’s efforts amount to ex post facto punishment reflecting the bureaucratic proclivity to expand power and broaden jurisdiction.

But the SEC’s approach was rarely improperly expansive, nor did it involve after-the-fact regulation. Rather, the SEC typically adopted a reasoned, common sense application of the basic requirements of the federal securities laws to new and evolving market conditions and technologies.

Coinbase’s Options

So, what should Coinbase do right now?

First off, Coinbase should file an 8-K with a detailed list of every single state, federal, or other investigation and some insights about each one — or otherwise risk adding fuel to an already burning (or perhaps even raging) SEC investigative fire.

Good disclosure practices are critical. Shareholders deserve absolute candor and transparency. Poor disclosure can also be telling. Like my late father used to say: “Get the little things right and you’ll get the big things right” and “If a person spits in the pool, they’ll pee in the pool.”

Second, Coinbase should cease and desist from the anti-SEC public relations campaign and stop attempting to rally public support in defense of its practices or in opposition to SEC overreach or legal misinterpretations. Specifically, Coinbase should avoid littering the airways with anti-SEC rhetoric, misleading Twitter threads, and antagonistic blog posts.

No matter how much pressure is galvanized by Coinbase, the SEC enforcement staff will not relent, even amid a constant flurry of threats, derision, and vitriol from the online rabble. In fact, that sort of provocation will only cause the SEC to double-down and become even more aggressive.

Grayscale rallied a similar online throng of tens of thousands to lambast the SEC for refusing to approve a bitcoin ETF. But the SEC not only remained true to its mission and refused to abide, the SEC also leaned-in.

Finally, Coinbase should comply fully with SEC subpoenas and not challenge the SEC for lack of jurisdiction or for exceeding the scope and breadth of the SEC’s authority. If Coinbase refuses to comply with an SEC subpoena, the SEC will build a meticulous record of the refusal and file a subpoena enforcement action in federal court demanding compliance, which will, for the first time, make public all of the SEC’s suspicions and findings relating to Coinbase, just like the SEC did with Do Kwon and Terra Luna.

The only “limits” to an SEC investigation are the parameters set forth in the SEC’s formal order of investigation, which the SEC enforcement staff can easily amend and expand at any time. The standard is mere “official curiosity,” so Coinbase should prepare for, and yield to, what will undoubtedly become an SEC corporate colonoscopy of every aspect of Coinbase’s operations.

Looking Ahead

For now, with respect to the SEC and DOJ cases against Wahi and friends, those thorny questions of whether the digital assets constitute securities may remain unresolved. As typically happens (though not assured) when there are parallel SEC and DOJ prosecutions, the SEC action is often stayed by the judge until the criminal case is resolved. However, though the SEC’s Wahi insider trading litigation may grind to a screeching halt, the SEC Coinbase investigation will likely proceed full steam ahead.

The SEC staff will undoubtedly seek documents and testimony from:

  • A litany of former and current Coinbase employees, investors, partners, lenders, etc.;
  • The highest levels of the c-suite and the lowest levels of operations; and
  • Coinbase’s former and current board members.

Given the absence of regulatory oversight, inspections, audits, and examinations together with the lack of transparency of crypto firms like Coinbase, the SEC’s investigation of Coinbase could uncover misconduct of all sorts, perhaps even thievery or other deception. Moreover, the entire crypto-ecosystem has become so incestuous that investigations of other crypto-entities could also identify possible misconduct at Coinbase. Meanwhile, DOJ prosecutors may have already convened a grand jury, subpoenaed testimony and documents, and executed search warrants.

One thing is certain: With multiple U.S. federal and perhaps state agencies conducting Coinbase-related investigations, eager complainants, gregarious informants and immunity-seeking witnesses will undoubtedly proliferate. Along those lines, cooperation agreements will ensure that no stone is left unturned and digital forensics will ensure that no deleted file remains out of reach.

My take is that it’s not a matter of if, but when the SEC will file an enforcement action against Coinbase charging that certain digital assets listed for trading by Coinbase were securities and leveling an array of related registration violations.

But what seems uncertain is whether the SEC will also charge fraud and whether those fraud allegations will give rise to DOJ criminal prosecutions. Only time will tell whether SEC or DOJ file more serious fraud charges against individuals within Coinbase.

One final note worthy of mention: Most SEC investigations are akin to archaeological expeditions, where SEC enforcement staff dig to unearth the truth after a calamitous financial catastrophe. Madoff, Enron, WorldCom, Theranos and so many other infamous financial frauds are examples of SEC excavations after the fact.

But with Coinbase, the SEC’s efforts have been the opposite. For instance, when the SEC became aware of Coinbase’s Lend product, the SEC acted early on and succeeded in stopping Coinbase from offering an investment program that would have surely caused horrific financial damage to Coinbase customers.

Now the SEC once again appears to be launching yet another preemptive strike, embarking on an investigative journey to stop Coinbase from doing to its customers what Celsius, Terra Luna, Voyager and Three Arrows Capital did to theirs. So Godspeed SEC – and as for the rest of us, get the popcorn.


John Reed Stark is president of John Reed Stark Consulting LLC, a data breach response and digital compliance firm. Formerly, Mr. Stark served for almost 20 years in the Enforcement Division of the U.S. Securities and Exchange Commission, the last 11 of which as Chief of its Office of Internet Enforcement. He currently teaches a cyber-law course as a Senior Lecturing Fellow at Duke University Law School. Mr. Stark also worked for 15 years as an Adjunct Professor of Law at the Georgetown University Law Center, where he taught several courses on the juxtaposition of law, technology and crime, and for five years as managing director of global data breach response firm, Stroz Friedberg, including three years heading its Washington, D.C. office. Mr. Stark is the author of “The Cybersecurity Due Diligence Handbook.”


Leave a Reply

Your email address will not be published. Required fields are marked *