The ink spilled on FTX could fill an ocean. But the key question remains, at heart, unanswered: Where did customers’ dollars and bitcoins and ethers go? FTX customers probably didn’t deposit huge amounts of FTT (FTX’s own token), but as of early November 2022, FTX’s balance sheet counted billions of dollars’ worth of those tokens among its assets.
So, where did customers’ dollars and bitcoins and ethers go?
That question will be hashed out in bankruptcy court. But although the FTX collapse happened fast, the unwind will be slow. FTX bagholders will likely wait years to see how many pennies on the dollar (or satoshis on the bitcoin) they will receive.
So, immediate takeaways from the FTX debacle are not in the realm of financial forensics, but instead in the realm of governance—the root cause of FTX’s demise. FTX was brought down from within, even if CZ1 fired the kill shot.
We’ll start with the basics: independent oversight.
Like a board of directors?
Yep. Independent oversight is the core of governance. Though company founders and management often have the best interests of their organization at heart, it can be easy to lose perspective as pressure piles up and the market forces of greed and fear rise. Consider these well-meaning sentiments and where they might lead if not tempered:
We’re doing so well, better keep up the momentum.
People think we can do X. How can we get to a place where we really can do X?
I don’t want to disappoint people.
Independent board members can offer much-needed objectivity at times when founders and managers feel enmeshed in business worries. Independent directors also can provide insight and wisdom gleaned from experience with other businesses and situations. Asking tough questions and making senior management a little less comfortable can be tremendously beneficial. (Internal auditors can serve a similar function but tend to have less power.)
The New York Times wrote that FTX had only three board members, and a Financial Times article stated that one of them had resigned as of June 2022.
If your startup lacks independent oversight, now would be a great time to seek it out. Don’t do what FTX did.
What about below the board level?
Separation of duties—requiring multiple people in order to complete an activity, instead of just one—is another key part of governance. For example, if a developer makes a change to software, separate people should review that change and push it into production. The developer shouldn’t be able to bypass code review and push her own change into production—even if she’s the lead developer. Even if she’s the CEO.
A historical example shows the importance of separation of duties. Barings Bank failed in 1995 after a trader made unauthorized trades and then altered the trade logs. As Investopedia puts it, “The Barings Bank crisis would have been avoided if the bank had abided by its own risk management procedures and not allowed a trader to also have access to their own trade logs and accounting paperwork.”
One allegation (of many) about the FTX debacle is that there may have been a software “backdoor” in the book-keeping system to avoid triggering compliance flags. It’s not clear yet what really happened, but if you’re a startup, take a look at your separation of duties policies and enforcement mechanisms for code changes, transactions, access control, and other important activities.
Let’s talk about data integrity and transparency. Like that poorly labeled account.
Sure. At FTX, as you may have heard, financial data was not tracked well, with shortcomings ranging from a “poorly labeled” fiat account to the many issues specified in interim CEO John Ray’s declaration filed November 17, 2022.
In a situation where data is not tracked, poorly labeled, poorly maintained, or insufficiently secured, transparency cannot exist because the data cannot be trusted.
The situation at FTX is far worse than what most companies face. But if you want to kick the tires on information transparency and integrity at your company, here are some questions to ask:
Can the CFO and CEO run or request a report on the company’s current financial positions?
If there’s a delay in getting that information, why is there a delay, and what is the as-of date of the information retrieved?
What safeguards are in place to ensure all data is consistent and correct across all systems?
Who verifies that the data is consistent and correct (e.g., line managers, risk management teams, internal auditors, and/or external auditors)?
When issues are identified, how are they communicated to senior management, and what is the process for addressing issues in a timely manner?
What if we’ve made some mistakes?
In the moment, mistakes suck. They make us feel embarrassed, anxious, and sometimes ashamed. It’s human, and it’s normal. But mistakes are also opportunities in risk management, if handled correctly. The right way to handle them is not to look away because we feel uncomfortable, or brush them under the carpet and continue business-as-usual because we think we can resolve them before they blow up on us, or violate other policies in an effort to undo damage from the first mistake.
The right way to handle mistakes is to raise them early, address them promptly, and fix the root causes so they can’t happen again. The same is often true for risks identified within a business: maybe a risk didn’t start out as a mistake, but external conditions changed, so the company needs to hedge or reduce the risk. For example, startup processes may at first be ad hoc and informal, but as the company grows, more formality becomes necessary to reduce risk.
Relevant to the FTX demise, based on information surfacing so far, it sounds like early employees at Alameda Research had their concerns about risk shrugged off.
In contrast, the movie Margin Call shows how warnings might go down in an (imperfect but better) company that’s paying attention to risks surfaced by its lower-level employees. The company saves itself, though at great cost and in a cynical, amoral way that at least somewhat reflects realities of the finance world.
Taking a path of disclosing, escalating, discussing, and addressing problems and risks is always difficult. It often feels like the worst decision in the immediate moment—most people don’t enjoy upsetting the apple cart—but it also often leads to the best outcomes for everyone involved.
Speaking of which, let’s talk about Theranos.
Hoo boy. “Tone from the top” is a famous phrase for a reason. If the tone at the top is one of denial instead of listening, the company is in trouble.
In a parallel universe of good governance, former Theranos CEO Elizabeth Holmes could have admitted to Theranos investors that this finger-prick thing wasn’t working out and then returned as much capital as possible to them. Startup founders do that all the time. Venture capitalists even expect lots of their portfolio companies to fail.
But for whatever reason, maybe because of sunk costs, ego, or perceived pressure to succeed, Holmes did not do that. She continued to claim Theranos’ technology worked even after it became clear it did not work, and Theranos continued to offer that technology to consumers who relied on it for bloodwork.
That’s a culture of denial—and a tragedy.
At least FTX wasn’t providing medical services.
Yes. (Can you even imagine?) FTX operated in the crypto industry, and in truth, most crypto investors are on board with the idea of speculating on risky assets. But “this asset is risky and volatile and I accept that” doesn’t equate to “it’s okay to commingle and lose customers’ funds.” Risky business doesn’t have to equal poor governance. In fact, the riskier the business, the stronger governance needs to be.
At this point in the FTX saga, although FTX’s and Alameda’s organizational culture and risk management practices seem inexplicable from any reasonable perspective, Sam Bankman-Fried is still trying to explain them to anyone who will listen. But the explanations are not great. Case in point:
He states he doesn’t understand why FTX US customers cannot withdraw their funds, when those entities were placed in bankruptcy in the November 11 filing2;
He states he thinks customers “could end up being made a lot more whole” when he is no longer the CEO of FTX and has no influence in the bankruptcy proceedings.
He keeps giving interviews, clinging to his status as an Important Person Worth Listening To and apologizing over and over, when his lawyers would probably prefer him to STFU.
Yikes. So, what’s the takeaway?
Well, FTX interim CEO John Ray III will carry on with financial forensics, and eventually we’ll find out details of what really happened. The key question remains, “Where did customers’ dollars and bitcoins and ethers go?” The answer, when it finally comes, will hinge on governance.
The real takeaway from this debacle is that independent oversight, separation of duties, data integrity and transparency, early escalation of mistakes, and a culture of listening are the harder road day-to-day but the far easier one in the long run. On the other hand, if you shrug off governance and prioritize the appearance of strength, when someone calls your bluff, you may have no response that can stop the tide from going out.
-<>-<>-<>-
Extra, Extra!
Tangential extras for curious readers:
1. I Accidentally Interviewed SBF And He Hated It - by CoffeeZilla on YouTube - an internet commentator asks some tough questions on a group call with Sam Bankman-Fried.
2. Collapse of FTX Provides ‘Sobering Warning’ for Insurers About Governance Failings - in Insurance Journal - published today, hot off the presses, covering an AM Best report.
Binance CEO Changpeng Zhao
Wording has been slightly corrected. In Sam Bankman-Fried’s written testimony for the U.S. House of Representatives Committee on Financial Services, which he did not deliver verbally on December 13th because of his arrest the prior evening, he wrote that he signed a document nominating John Ray as CEO of various entities, and Ray then filed for Chapter 11 for those entities (including FTX US).
Yes.
Also there's a "knowing only enough to be dangerous" element in concert with false authority. Bankman-Fried had a successful background as a trader and knew crypto well. That doesn't mean he knew anything about how to run an exchange. The stuff he was prohibited from doing as a trader was handled by other people. He thought "crypto" replaced those controls just by being crypto.
The individual CEO overestimating his magisterium is common. The fact that people invested in that CEO without asking if he was working outside his knowledge is more the area where I don't think "VCs are used to losses" is an excuse. Yes they're used to CEOs that overpromise, but they could at least ask, "And who in this organization is holding the CEO accountable?"
Each time the latest white collar scheme of fraud emerges, I am disgusted. The system of penalties is so distorted. The risk-reward is built to ensure these things will continue to happen without anything standing in the way. Having worked with the blockchain 20+ years ago to good effect, it is sad to see it utilized to distort transparency. The rewards for fraud are SO HIGH and the penalties SO SMALL. No matter where the next fraud emerges, we throw up our hands and say oh well, lets figure out how to try to identify this stuff better next time.