Last month, Secretary of the Commonwealth of Massachusetts William Galvin made good on his promise to conduct an exam sweep of ICOs in Massachusetts.  On January 17, the Enforcement Section of the Massachusetts Securities Division brought its first ICO related enforcement action, an administrative complaint against a company called Caviar and its founder Kirill Bensonoff for violations of state securities laws in connection with Caviar’s ICO. The complaint likely portends increased willingness on the part of state securities administrators to bring enforcement actions against ICO sponsors.  It also offers important lessons about how to conduct offshore ICOs so as to minimize the risk of offers and sales being deemed to be made to U.S. residents.

The complaint tells us that Caviar is a Cayman Islands company that has no actual place of business there, operating instead principally in founder Bensonoff’s home in Massachusetts.

The Caviar token offered in the ICO (CAV) was clearly a securities token; no pretense of a utility token here. Proceeds from the ICO were to be pooled and used to finance the acquisition of a portfolio of various cryptocurrencies, and also to finance short term “flips” of residential real estate properties. Purchasers of CAV tokens were told they would receive quarterly dividends equal to their pro rata share of 75% of the combined profits from this pooled investment fund of cryptocurrencies and real estate debt. Basically, Caviar was a virtual hedge fund and its tokens had key attributes of limited partnership or membership interests, i.e., they were securities.

The real interesting issue in this dispute would seem to be whether the offering was properly conducted offshore as intended and thus outside the jurisdiction of Massachusetts’ Securities Division (or any other securities regulators in the U.S.). Caviar’s argument would seem to be that the offering was made offshore and that they employed safeguards to ensure that no offers and sales were made to United States persons. Caviar’s ICO white paper states that United States persons (within the meaning of Rule 902 of Regulation S) are excluded from the offering and are explicitly restricted from purchasing CAV.

Before the complaint was filed, investors apparently had been purchasing CAV by visiting Caviar’s website at www.caviar.io (after the complaint was filed, the site was modified to greet U.S. persons with the following message: “It appears you are accessing caviar.io from United States of America.  Unfortunately, this website is not available in the United States of America.”).  To register for the offering, prospective investors were asked to provide an e-mail address and check two boxes. The first box indicated “Not U.S. person”, and the second box stated that the investor consulted with an experienced lawyer who advised the investor that he or she is eligible to invest. Caviar retained the services of an independent third party to screen out ineligible persons based on internet protocol addresses, i.e., numeric labels assigned to users or devices by internet service providers. If an individual was identified as a potentially prohibited purchaser, he or she would be prompted to upload copies of a government-issued photo identification. In sworn testimony given by Bensonoff before the Securities Division in this matter, he stated that “as far as [he knows], there’s not a single U.S. investor who has contributed.”

In the complaint, the Securities Division asserts that Caviar’s procedures to prevent the sale of CAV to U.S. investors are inadequate because Caviar’s identity verification procedures were relatively easy to circumvent. To prove the point, it had one of its investigators apply to participate in the Caviar ICO using the name of a “popular cartoon character”. The complaint doesn’t identify the cartoon character, perhaps in an effort to protect the Securities Division’s sources (if not its methods). When prompted to upload a photo ID (apparently because the investigator’s IP address indicated he was located in the U.S.), the investigator uploaded a photo of a government-issued photo ID obtained using a Google Image search. But the name, address, and date of birth listed on the submitted ID image didn’t match the personal information provided earlier by the investigator. Nevertheless, the investigator’s identity was “verified,” and the investigator was approved to participate in the Caviar ICO.

The complaint brought by the Massachusetts Securities Division offers some useful lessons for properly conducting an offshore ICO.  First, investor check-the-box self-certification will not suffice in the absence of effective verification measures by the sponsor to screen out ineligible persons. Second, inasmuch as it’s possible to identify applicants’ approximate geolocation based on internet protocol addresses, offshore ICO sponsors should carefully monitor the IP addresses of online investor applicants. Third, all applicants should be prompted to upload a copy of a government-issued photo ID, which should be carefully checked by the sponsor (either directly or through independent third parties) against other personal information provided by the investor.  Fourth, any attempt emanating from a U.S. IP address to open a link to an offshore ICO site should be directed to an alternate dead-end page that states nothing more than that the person seeking access appears to be in the U.S. and that the website is not available in the U.S.  Finally, a sponsor’s culpability will not be mitigated by lack of actual knowledge of any U.S. person purchases.