This guest blog was contributed by Susannah Hammond, Senior Regulatory Intelligence Expert at Theta Lake
In a legal case alleging a firm and its control person violated U.S. securities laws by offering for sale to the public certain non-fungible tokens (“NFTs”) without filing the required registration statement with the Securities and Exchange Commission (the “SEC”), the use of emojis was specifically called out as an expectation of profit for the NFT issuance. Although the literal word “profit” was not used in any of the organization's tweets, the “rocket ship,” “stock chart,” and “money bags” emojis all were cited and marked as an expectation of a financial return on investment.
In the U.S., the Securities Act prohibits persons from offering, selling, or delivering by means of interstate commerce any security unless a registration statement has been filed with the SEC. The Securities Act’s definition of a security is broad and includes an investment contract within the definition.
A U.S. Supreme Court case helped determined whether a transaction qualifies as an "investment contract" and, therefore, would be considered a security and subject to disclosure and registration requirements under the Securities Act of 1933 and the Securities Exchange Act of 1934. The court case helped create the Howey Test, a method to determine if an investment contract exists. The test clarifies if there is an ‘investment of money in a common enterprise with a reasonable expectation of profits to be derived from the efforts of others’.
In this instance, the Howey Test is important as certain cryptocurrencies and initial coin offerings (ICOs) may be found to meet the definition of an "investment contract" under the Howey Test. There are four criteria to determine whether an investment contract exists. An investment contract is:
An investment of money
In a common enterprise
With the expectation of profit (in this instance as illustrated by emojis)
To be derived from the efforts of others
The court’s conclusion that what the organization offered was an investment contract under Howey was said to be ‘narrow’ - it was made clear that not all NFTs offered or sold by a company will necessarily constitute a security, and each scheme must be assessed on a case-by-case basis.
The use of emojis need communications guidance
For organizations, emojis are an inherent part of modern communications. Organizations must treat emojis with the same care as every other form of communication or messaging. Using emojis brings risks associated with communications with the public in terms of misleading content, investor protection, dissemination of potentially material non-public information as well as challenges of capturing the full context of an emoji-laden conversation.
Firms need to ensure that emojis are expressly covered in preventive and detective controls, and communication guidance given to employees. The best method of security is often education. Regular training on the regulatory and compliance expectations around all forms of communication is a good way to keep the message fresh and provide an audit trail.
A potential challenge for firms is the ability to robustly capture emojis in their original context so that the meaning is apparent in both retrieval and surveillance. It is less common that firms have the capability to capture all elements and combinations of communications, though that must change fast. That comprehensive level of capture, preservation and retrieval is essential as part of a risk-aware approach to governance, risk and compliance.
AI surveillance can help
Any robust approach to surveillance must be built upon the upfront and comprehensive capture of all communications. However, the magnitude of communications outstrips the capacity of compliance officers to manually review conversations. The use of AI can help by enabling vast volumes of communications to be analysed. It also enables organizations to detect risks and breaches at scale, provide alerts at significant speed and help prioritize what to review.
There are a range of options for consideration as compliance functions refine and develop their use of AI. The deployment of purpose-built, pre-trained AI-based risk detections has many potential benefits. The models can be trained to detect specific confidential or personal information. These targeted detections use high-quality expert sources and domain expertise, which means that the burden does not fall onto individual organizations to train the AI models or verify the results.
It’s AI's ability to understand specific risks in context. Well-trained AI can use captured emojis and other elements of communications to take a full context view of a communication. With the right solution, the use of AI enables organizations to find the risks across its communications at speed.
For all, the use of emojis are inherently neither good nor bad - they are simply another form of communication which firms need to ensure is within their organization-wide strategic approach to data management and security.