Who’s Liable When Your Cryptocurrency Is Stolen? | JD Supra

One of the claimed benefits of blockchain and digital currency is their independence from the traditional banking system. However, this characteristic becomes problematic when digital currency is stolen or transferred without the account holder's permission, as there are limited options for account holders to recover their funds. Unlike traditional banks, who can track the funds, prevent transfers, or retrieve fraudulently transferred funds, cryptocurrency exchanges have limited capabilities to regain these funds. Additionally, user agreements with exchanges release them from any responsibility for such fraudulent transfers, transferring the burden of account protection onto customers and requiring arbitration for resolving disputes.

There are currently no specific laws regarding liability for cryptocurrency in these situations. Instead, courts are relying on established regulations for fraudulent transfers in the banking industry. To determine if a transfer is fraudulent, banks consider the purpose of the account and whether the stolen property is considered a "fund". Recent conflicting decisions regarding the theft of cryptocurrency from Uphold, an online broker, demonstrate that courts are trying to apply old laws to new technology. One court found Uphold guilty of fraud in a February ruling, but another federal judge ruled last week that the exchange was not liable under the same law. This leaves cryptocurrency owners uncertain about their legal standing.

The Dilemma Of "Electronic Funds?"

In 1978, due to the rise of electronic banking and the risks it brought, Congress passed the Electronic Fund Transfer Act (EFTA). This law, along with its associated rule, Regulation E, aimed to clearly define the responsibilities of different parties involved in cases of theft or misdirection of electronic fund transfers, such as senders, recipients, account holders, and financial institutions. According to these regulations, non-commercial customers had limited liability for unauthorized transfers, depending on whether they informed the bank about the unauthorized transfer. Although the rule stated that consumers were only liable for a small amount, typically ranging from $25 to $50, most banks chose to reimburse fraud losses voluntarily to encourage the use of ATMs and reduce their own operational expenses.

Regulation E is not applicable to more advanced business clients. Instead, UCC 4A-205 governs these transactions, providing financial institutions with protection from liability when processing fraudulent transfers, as long as they can prove they employed security and authentication methods considered "commercially reasonable." In fact, numerous agreements for commercial accounts have provisions requiring the account holder to acknowledge that the bank's security measures are deemed "commercially reasonable."

Looking ahead to the 2020s, we need to consider if the existing rules and regulations also extend to electronic funds transfers involving cryptocurrencies. When a hacker illicitly obtains digital currency from a broker, a wallet, or any other entity involved in crypto transfers, and then instructs the funds to be moved to a different wallet, can we categorize this as an electronic "funds" transfer according to the law established in 1978? If it falls within this definition, the consumer, who is the account holder, will have minimal or even no financial responsibility for the fraudulent transfer.

According to the law, an "electronic fund transfer" refers to any movement of money that is not done by check, draft, or similar paper. Instead, it is made through an electronic terminal, telephone, computer or magnetic tape to direct a bank or other financial institution to take money from or put money into an account. Importantly, the law defines a "financial institution" as a State or National bank, a State or Federal savings and loan association, a mutual savings bank, a State or Federal credit union, or any other individual or entity that has a consumer's account.

In the realm of cryptocurrencies, a crypto exchange securely stores digital assets, known as cryptocurrency, in a customer's account or wallet. Acting under the instructions of the customer, they proceed to move the cryptocurrency from one account to another. This categorizes them as a financial entity and designates the transfer as an electronic funds transfer. It is important to note that in cases of fraud or unauthorized transfers, the customer bears no responsibility or liability.

Assuming (and this is a significant assumption) that cryptocurrency can be considered a "fund" because the law specifically governs the "transfer of funds," it implies that the Electronic Funds Transfer Act may be applicable. However, if crypto is classified as a commodity (such as gold bullion, Dutch tulips in 1640, or beanie babies) rather than a fund, it follows logically that the EFTA would not be relevant. Likewise, if crypto is deemed a security, a commodity future, or any other category apart from a "fund," then the regulations of the EFTA might not be applicable in such cases.

Defining Matters

In February this year, a federal court in New York dealt with the same question regarding funds. In the case of Rider et al v. Uphold HQ Inc. et al, the court examined whether cryptocurrency qualified as a form of funds according to the EFTA. It concluded that based on the common definition of "funds" as a medium of exchange for purchasing goods and services, cryptocurrency fits the description. Thus, according to this court ruling, cryptocurrency can be considered funds, and any exchange involving the transfer of these funds may make the institution responsible for fraudulent transfers.

In a recent court case called Yuille v Uphold HQ, a judge from the same court as Rider discussed a similar issue involving the theft of cryptocurrency from a cryptocurrency wallet. The question was whether consumers were protected from liability under Regulation E. Judge Lewis Liman ruled differently than in the Rider case, stating that Regulation E did not apply. This was not because cryptocurrency was not considered a "fund," but because the crypto wallet did not meet the legal definition of an "account." Specifically, it was not considered a "consumer" account but rather a non-consumer account. According to the law, an "account" is defined as a deposit, savings, or other asset account primarily used for personal, family, or household purposes.

based on his intentions and objectives. It is important to highlight that the Court specifically highlighted the actions and decisions made by the individual when creating the cryptocurrency account.

The judge determined that since the intention behind investing in cryptocurrency was not for personal or domestic purposes, but rather for the purpose of making profits or investments, the crypto wallet could not be considered as an account eligible for protection.

What Happens To Someone With A Crypto Wallet?

The main goal of cryptocurrency is to function as a means of payment for various goods and services, ranging from everyday items like groceries to household items. Additionally, it is seen as an investment opportunity due to its speculative value. When we view cryptocurrency as a medium of exchange, there is a possibility that losses could be safeguarded by laws that aim to protect ATM debit cards. However, whether this protection applies depends on the specific circumstances of each individual and their intention for acquiring or holding cryptocurrency. To ensure that consumers and companies have a clear understanding of their risks and responsibilities, it would be beneficial to establish a comprehensive framework that assigns the risk of fraudulent unauthorized transfers of cryptocurrency through legislation, regulations, or agreements.

While there is still ambiguity surrounding whether cryptocurrency can be considered a "fund" according to the EFTA, it is plausible to argue that cryptocurrencies should be treated as funds. This would mean that the responsibility of fraudulent transactions should lie with financial institutions (brokers) instead of the consumers.

The problem with the recent court ruling is that it focuses on why consumers have a crypto wallet, rather than how they use it. For instance, if a consumer keeps money in a savings account to pay off debt but is also motivated by the small 0.1% yearly interest, would their goal of investing outweigh the intended use of the account and make them responsible for fraudulent transactions? Similarly, in the case of home businesses that operate from a consumer's personal account, does the fact that the bank account serves both consumer and business needs make it vulnerable to hackers?

The EFTA was established in the late 1970s, and it is apparent that there have been substantial changes since then. As a result, it is necessary to revise the law to correspond with the ever-changing advancements in our technology-driven world.