What does the CFTC have to do with the Bitfinex hack?

After the Bitfinex hack, the CFTC should open a rulemaking to clearly define what constitutes "actual delivery" of cryptocurrency under the Commodities and Exchange Act.

Yesterday we explained that CFTC’s enforcement action against Bitfinex was not the proximate cause of the exchange’s hack, but some are arguing that it was the but-for cause. It’s probably also a stretch to say that the enforcement action was the but-for cause of the hack, but it certainly seems to be the case that Bitfinex implemented a multisig security model the way it did in order to avail itself of a statutory exemption to the Commodities and Exchange Act.

The exemption in question applies to retail commodity trades that result in “actual delivery” of the commodity (in this case bitcoin). What qualifies as actual delivery of traditional commodities like wheat or gold is pretty well understood and the subject of many court cases as well as CFTC guidance. However, what constitutes actual delivery of cryptocurrency has not been well defined.

As we pointed out a couple of weeks ago, the CFTC has before it a petition for a notice-and-comment rulemaking to define what constitutes actual delivery in the cryptocurrency. We believe the CFTC should grant that petition and embark on such a rulemaking, and we believe this for a couple of reasons.

First, rather than case-by-case negotiated settlements with individual companies, an open and transparent process in which all parties can provide input is a preferable way to determine the contours of actual delivery. And second, it’s possible, if not probable, that under consideration of the full Commission, rather than only enforcers, the CFTC might conclude that actual delivery of cryptocurrency can be achieved in a way that allows for many different security models and implementations. That would be good for everyone.