Memo to crypto exchanges: KYC compliance can be a competitive advantage

Published at: Oct. 9, 2020

Crypto intelligence firm CipherTrace released a study on Oct. 1 reporting that more than half of the world’s cryptocurrency exchanges had deficient customer identification processes in place against money laundering. On the same day, the United States government announced that it had formally charged BitMex, a top virtual asset service provider, for “failing to implement required anti-money laundering procedures,” among other things.

The two events, surely unrelated, nonetheless appear to be part of an emerging compliance picture. Dmitri Laush, CEO of GetID — an identity verification solution provider — told Cointelegraph: “The recent U.S. Commodity Futures Trading Commission lawsuit against BitMEX is a prime example that regulators take these matters seriously.”

More regular scrutiny of virtual asset service providers, or VASPs, should be expected, Laush suggested, and it will probably not be restricted to centralized cryptocurrency exchanges. Thomas Hardjono, chief technology officer at MIT Connection Science and Engineering, told Cointelegraph: “I believe that decentralized exchanges will inevitably have to comply with U.S. Bank Secrecy Act regulations and the [G7-initiated] Financial Action Task Force Recommendations.” As for the global compliance report from CipherTrace, Laush stated, “unfortunately that does not surprise me at all.” He commented further:

“Even Binance, one of the biggest and most famous crypto exchanges used not to require KYC for withdrawals below 2 Bitcoin. Many crypto-to-crypto exchanges, even those with high trading volume, like Huobi and HitBTC, do not require users to submit to any identity verification processes.”

“Some lag behind”

Know Your Customer regulations are designed to make concealing the origins of illegally obtained money more difficult for criminals. KYC rules are often linked with Anti-Money Laundering regulations, but AML is broader and can include, in addition to a KYC process, steps like risk assessment, compliance training, ongoing monitoring and internal audits. Elena Hughes, director of compliance advisory at the Gemini exchange, told Cointelegraph that the report’s findings are not surprising:

“The strength and effectiveness of the Anti-Money Laundering regulatory landscape varies widely from jurisdiction to jurisdiction, and while many jurisdictions have made great strides in advancing regulatory frameworks to address unique aspects of cryptocurrency, some remain lagging behind.”

As an example of how KYC can thwart would-be criminals, the CipherTrace study recounted how one VASP demanded that a suspicious account holder participate in a video call to verify the individual’s identity, “The account holder refused — preventing him from using the VASP to launder funds,” the study states. Furthermore, KYC processes can go beyond simple ID checks to include “documents that prove your address — e.g. utility bill — and source of income, like a hiring contract,” according to Laush, who then added:

“When it comes to big clients wishing to trade or withdraw large amounts of money, customer due diligence procedures can be applied, including sanctions watchlist checks and politically exposed person lists checks and more.”

Hardjono also said he was not surprised by the study’s findings, given that the VASP industry is still in its incipient stages: “The crypto industry should give itself a timeline or deadline — i.e., a point at which they should be KYC-compliant to the same degree as banks and traditional financial institutions.” He further added that “the crypto industry could agree that by the end of 2023 the majority will be compliant to the U.S. KYC regulations.”

Clearly exchanges must do better, continued Hardjono. First, they should invest in building their internal KYC-compliance infrastructures. “This may mean embracing emerging standards, such as Travel Rule Information Sharing Alliance that enable VASP-to-VASP identification.” Second, he believes that they will need to invest in data-protection and data-privacy solutions for customer information, particularly as some jurisdictions, such as the European Union, have strong privacy regulations.

A European paradox?

When it comes to Europe, the CipherTrace study found that 60% of European VASPs had “weak or porous” KYC processes, and six of the world’s ten most KYC-deficient countries were European. How does one reconcile a generally strong regulatory environment in Europe with so many noncompliant VASPs? Hardjono told Cointelegraph:

“I think this points to the nascency of the entire crypto industry, and the fact that blockchain networks are not geographically bound. This is possibly why Markets in Crypto-Assets regulations are being developed in the EU. The real question is how the MiCA regulations will be enforced across all EU nations — Western Europe to Eastern Europe.”

Laush noted that crypto regulation is now evolving rapidly in Europe: “After the Danske bank money laundering scandal last year, the regulations for every financial institution were tightened in Europe.” For example, the Estonian government has made it harder to obtain crypto licenses.

Given that regulators in the U.S. and Europe may be zeroing in on crypto exchanges, what should VASPs be doing to boost KYC and AML compliance? Pawel Kuskowski, CEO of blockchain analytics platform Coinfirm, told Cointelegraph, “Source of funds and crypto transactions monitoring are critical. There is very fast-moving illicit funds transfer that needs to be stopped when reaching exchanges.”

In Chainalysis’ 2020 Crypto Crime Report, the firm suggested that crypto exchanges need to extend KYC scrutiny for over-the-counter trade desks — which, while attached to exchanges, often act independently. Jesse Spiro, global head of policy at Chainalysis, told Cointelegraph that crypto exchanges should be looking at implementing a range of tools: “Outside of travel rule compliance, exchanges need to implement fraud and AML systems more broadly. That could include better KYC and enhanced due diligence tools, vendor services, transaction monitoring, and sanctions screening.”

Regulators can do more

There are also steps that regulators themselves might take to make it easier for exchanges to comply with KYC and AML. According to Kuskowski, “Regulators should agree to thresholds for transactions and related checks.” For instance, KYC might not be required for crypto transactions of less than $100 — there would be only source-of-funds monitoring. For crypto transactions between $100 and $1,000 in value, only simplified KYC might be required. This would help enforcers to focus on the larger, more meaningful cases.

Spiro would like to see more advisories and guidance provided by regulators. These “have been extremely beneficial to the industry, as they provide specific information related to risks, typologies, and more.” Certain agencies like FinCEN produce a steady stream of such documentation. Other agencies might do likewise, he proposed:

“More broadly, implementation of AML regulation by jurisdictions is important in supporting exchanges. Implementation and adoption of regulation has been spotty on a jurisdictional level, a year after the FATF released their virtual asset recommendations.”

Dave Jevans, CEO of CipherTrace, told Cointelegraph that “regulators should move quickly to codify clear cryptocurrency AML and KYC laws and set realistic expectations for the timing of virtual asset regulation enforcement. Nations such as Singapore have rapidly adopted and are already enforcing travel rule regulations.”

Decentralized exchanges won’t be exempt

Decentralized exchanges, or DEXs — a type of DeFi application — pose particular challenges for regulators. According to the CipherTrace study, “They often lack any clear regulatory compliance,” therefore, “DeFi can easily become a haven for money launderers.” Decentralized exchanges may have even skewed some of the study’s findings.

Will DEXs, too, inevitably have to comply with BSA-type regulations? Given that DEXs are premised on peer-to-peer trading as well as rules and protocols embedded in software, implementing KYC processes have been largely ignored. Among the 21 DEXs for which CipherTrace could identify a host country (as most of the 51 DEXs examined in the study were effectively “country-less”), 81% had no KYC processes at all.

Jevans told Cointelegraph, “The jury is still out on how DEXs will be treated, but most likely they will be required to comply with BSA-type regulations — particularly the DEXs operated by large, well-capitalized, centralized firms and organizations.” Europe, in particular, may become problematic for “pure DeFi” players because crypto-asset issuers under the new MiCA directive “will need to have a legal entity to do business with citizens of Europe.”

In March 2019, Coinfirm examined 216 cryptocurrency exchanges and found 69% of them lacking “complete and transparent” KYC procedures. Kuskowski spoke of the progress made: “A good number of those exchanges have improved their policies and procedures. However there are new players, including in the DeFi sector, who highly disregard AML/KYC.”

Kuskowski, former global head of AML function at commercial banking giant RBS, previously wrote an article quoting consultant Adam Cochran regarding DeFi enterprises: “Many people presume there to be some sort of magical ‘peer-to-peer’ exemption that exists in these laws. I’m not sure where that myth comes from.”

KYC has limitations

These processes have their limitations, as “KYC cannot save you from hackers,” observed Laush, “you need to have cybersecurity specialists in the crypto exchange team to prevent users’ wallets from hacking.” The Mt. Gox hack — the crypto industry’s most notorious heist — was conducted by hackers who found vulnerabilities in the Japanese exchange’s transaction algorithm.

“KYC is a crucial front-line defense, and having no KYC requirements welcomes bad actors,” Spiro told Cointelegraph. However, KYC policies alone are not enough — on-chain data might arguably offer stronger risk indicators, he said.

Overall, cryptocurrency exchanges need to show that they’re a part of the financial system and that they’re ready to adhere to current regulations, including the implementation of strong KYC, said Laush, confirming that going through customer identity might make the onboarding process slightly longer, adding:

“But it has its undeniable benefits. First, regulators will see that a particular crypto exchange is a legit — or legal — business complying with rules. Second, it will create more trust with customers.”

Gemini’s Hughes told Cointelegraph: “Recent regulatory actions against noncompliant exchanges highlight that trust is difficult to gain, but easy to lose.” Gemini was one of the first crypto exchanges to conduct KYC before allowing anyone to use its platform. Its user agreement page lists 13 laws and regulations by which it abides, including AML and Counter Terrorist Financing provisions.

Cointelegraph asked Hughes if the existence of so many noncompliant crypto exchanges, as identified in the CipherTrace study, put Gemini at a competitive disadvantage. She answered: “Greater compliance has a cost, but it also has the potential to bring much greater market participants. [...] We believe Gemini’s ‘compliance first’ approach is a competitive advantage.”

In sum, more regulation of VASPs is coming, and it will probably be more costly for crypto exchanges to comply with KYC and AML rules, but compliance in the longer term also offers benefits like the ability to attract more conservative investors.

Tags
Regulation
United States
Cryptocurrency Exchange
Aml
Kyc
Related Posts
How US authorities are using old AML tools to crack down on crypto
The ease of laundering money in the U.S. before 1970 boggles the mind. Prior to the Bank Secrecy Act (BSA) of that year, there were no federal standards for banks to keep records on activity that fell under the category of “suspicious.” There were also no consistent reporting requirements — it was the BSA that established the $10,000 threshold that stands to this day. But it’s not like the BSA banished money laundering from U.S. shores. It wouldn’t even be until 1986 that money laundering was classified as a federal crime — a landmark in global anti-money laundering. Despite that …
Regulation / Oct. 24, 2020
BitMEX operator hires chief compliance officer amid US criminal charges
The operator of crypto derivatives exchange BitMEX, 100x Group, has hired a seasoned Anti-Money Laundering (AML) specialist, Malcolm Wright, as its chief compliance officer. In an announcement on Oct. 12, the 100x emphasized Wright's profile as the current chairman of the Advisory Council and AML Working Group at Global Digital Finance, and as a speaker covering key topics that include the Financial Action Task Force's Recommendations for Virtual Asset Service Providers. 100X Group had last week reshuffled its top leadership, removing BitMEX's co-founders Arthur Hayes, Samuel Reed and Ben Delo from executive roles. Hayes, Reed and Delo were all charged …
Regulation / Oct. 12, 2020
BitMex denies CFTC and DoJ allegations, says trading will continue
In a blog post published Thursday afternoon, Bitmex lashed out at charges that the Commodity Futures Trading Commission and Department of Justice filed against the exchange and its management earlier today. Bitmex's statement claimed that "From our early days as a start-up, we have always sought to comply with applicable U.S. laws, as those laws were understood at the time and based on available guidance." What exactly "applicable U.S. laws" are will likely be central to the case. Bitmex has long maintained that it does not serve customers in the U.S., though others before the CFTC and DOJ have argued …
Regulation / Oct. 1, 2020
Want to weed out ransomware? Regulate crypto exchanges
Just between July 2020 and June 2021, ransomware activity soared by a whopping 1,070%, according to a recent Fortinet report, with other researchers confirming the proliferation of this mode of extortion. Mimicking the prevalent business model of the legitimate tech world, ransomware-as-a-service portals popped up in the darker corners of the web, institutionalizing the shadow industry and slashing the skill ceiling for wannabe-criminals. The trend should be ringing a warning bell through the crypto ecosystem, particularly since ransomware attackers do have a knack for payments in crypto. That said, the industry that was once a Wild Wild West is now …
Blockchain / Feb. 20, 2022
Crypto lobby defends self-hosted wallets and P2P from rumored gov't crackdown
Major players in U.S. crypto lobbying are coming out in defense of noncustodial wallets. On Tuesday, the Blockchain Association released a new report presenting policy options for self-hosted wallets to regulators. On Wednesday, Coin Center published an expert view by Jai Ramaswamy, also defending such wallets. The Blockchain Association is a trade organization for the crypto industry, while Coin Center is a nonprofit focused on defending decentralization before policymakers. Both are based in Washington, D.C. Ramaswamy currently works on compliance for Celo's parent company, C Labs, and was formerly the head of the Department of Justice’s Anti-Money Laundering division. His …
Regulation / Nov. 18, 2020