Crypto intelligence firm CipherTrace released a study on Oct. 1 reporting that more than half of the world’s cryptocurrency exchanges had deficient customer identification processes in place against money laundering. On the same day, the United States government announced that it had formally charged BitMex, a top virtual asset service provider, for “failing to implement required anti-money laundering procedures,” among other things.
The two events, surely unrelated, nonetheless appear to be part of an emerging compliance picture. Dmitri Laush, CEO of GetID — an identity verification solution provider — told Cointelegraph: “The recent U.S. Commodity Futures Trading Commission lawsuit against BitMEX is a prime example that regulators take these matters seriously.”
More regular scrutiny of virtual asset service providers, or VASPs, should be expected, Laush suggested, and it will probably not be restricted to centralized cryptocurrency exchanges. Thomas Hardjono, chief technology officer at MIT Connection Science and Engineering, told Cointelegraph: “I believe that decentralized exchanges will inevitably have to comply with U.S. Bank Secrecy Act regulations and the [G7-initiated] Financial Action Task Force Recommendations.” As for the global compliance report from CipherTrace, Laush stated, “unfortunately that does not surprise me at all.” He commented further:
“Even Binance, one of the biggest and most famous crypto exchanges used not to require KYC for withdrawals below 2 Bitcoin. Many crypto-to-crypto exchanges, even those with high trading volume, like Huobi and HitBTC, do not require users to submit to any identity verification processes.”
“Some lag behind”
Know Your Customer regulations are designed to make concealing the origins of illegally obtained money more difficult for criminals. KYC rules are often linked with Anti-Money Laundering regulations, but AML is broader and can include, in addition to a KYC process, steps like risk assessment, compliance training, ongoing monitoring and internal audits. Elena Hughes, director of compliance advisory at the Gemini exchange, told Cointelegraph that the report’s findings are not surprising:
“The strength and effectiveness of the Anti-Money Laundering regulatory landscape varies widely from jurisdiction to jurisdiction, and while many jurisdictions have made great strides in advancing regulatory frameworks to address unique aspects of cryptocurrency, some remain lagging behind.”
As an example of how KYC can thwart would-be criminals, the CipherTrace study recounted how one VASP demanded that a suspicious account holder participate in a video call to verify the individual’s identity, “The account holder refused — preventing him from using the VASP to launder funds,” the study states. Furthermore, KYC processes can go beyond simple ID checks to include “documents that prove your address — e.g. utility bill — and source of income, like a hiring contract,” according to Laush, who then added:
“When it comes to big clients wishing to trade or withdraw large amounts of money, customer due diligence procedures can be applied, including sanctions watchlist checks and politically exposed person lists checks and more.”
Hardjono also said he was not surprised by the study’s findings, given that the VASP industry is still in its incipient stages: “The crypto industry should give itself a timeline or deadline — i.e., a point at which they should be KYC-compliant to the same degree as banks and traditional financial institutions.” He further added that “the crypto industry could agree that by the end of 2023 the majority will be compliant to the U.S. KYC regulations.”
Clearly exchanges must do better, continued Hardjono. First, they should invest in building their internal KYC-compliance infrastructures. “This may mean embracing emerging standards, such as Travel Rule Information Sharing Alliance that enable VASP-to-VASP identification.” Second, he believes that they will need to invest in data-protection and data-privacy solutions for customer information, particularly as some jurisdictions, such as the European Union, have strong privacy regulations.
A European paradox?
When it comes to Europe, the CipherTrace study found that 60% of European VASPs had “weak or porous” KYC processes, and six of the world’s ten most KYC-deficient countries were European. How does one reconcile a generally strong regulatory environment in Europe with so many noncompliant VASPs? Hardjono told Cointelegraph:
“I think this points to the nascency of the entire crypto industry, and the fact that blockchain networks are not geographically bound. This is possibly why Markets in Crypto-Assets regulations are being developed in the EU. The real question is how the MiCA regulations will be enforced across all EU nations — Western Europe to Eastern Europe.”
Laush noted that crypto regulation is now evolving rapidly in Europe: “After the Danske bank money laundering scandal last year, the regulations for every financial institution were tightened in Europe.” For example, the Estonian government has made it harder to obtain crypto licenses.
Given that regulators in the U.S. and Europe may be zeroing in on crypto exchanges, what should VASPs be doing to boost KYC and AML compliance? Pawel Kuskowski, CEO of blockchain analytics platform Coinfirm, told Cointelegraph, “Source of funds and crypto transactions monitoring are critical. There is very fast-moving illicit funds transfer that needs to be stopped when reaching exchanges.”
In Chainalysis’ 2020 Crypto Crime Report, the firm suggested that crypto exchanges need to extend KYC scrutiny for over-the-counter trade desks — which, while attached to exchanges, often act independently. Jesse Spiro, global head of policy at Chainalysis, told Cointelegraph that crypto exchanges should be looking at implementing a range of tools: “Outside of travel rule compliance, exchanges need to implement fraud and AML systems more broadly. That could include better KYC and enhanced due diligence tools, vendor services, transaction monitoring, and sanctions screening.”
Regulators can do more
There are also steps that regulators themselves might take to make it easier for exchanges to comply with KYC and AML. According to Kuskowski, “Regulators should agree to thresholds for transactions and related checks.” For instance, KYC might not be required for crypto transactions of less than $100 — there would be only source-of-funds monitoring. For crypto transactions between $100 and $1,000 in value, only simplified KYC might be required. This would help enforcers to focus on the larger, more meaningful cases.
Spiro would like to see more advisories and guidance provided by regulators. These “have been extremely beneficial to the industry, as they provide specific information related to risks, typologies, and more.” Certain agencies like FinCEN produce a steady stream of such documentation. Other agencies might do likewise, he proposed:
“More broadly, implementation of AML regulation by jurisdictions is important in supporting exchanges. Implementation and adoption of regulation has been spotty on a jurisdictional level, a year after the FATF released their virtual asset recommendations.”
Dave Jevans, CEO of CipherTrace, told Cointelegraph that “regulators should move quickly to codify clear cryptocurrency AML and KYC laws and set realistic expectations for the timing of virtual asset regulation enforcement. Nations such as Singapore have rapidly adopted and are already enforcing travel rule regulations.”
Decentralized exchanges won’t be exempt
Decentralized exchanges, or DEXs — a type of DeFi application — pose particular challenges for regulators. According to the CipherTrace study, “They often lack any clear regulatory compliance,” therefore, “DeFi can easily become a haven for money launderers.” Decentralized exchanges may have even skewed some of the study’s findings.
Will DEXs, too, inevitably have to comply with BSA-type regulations? Given that DEXs are premised on peer-to-peer trading as well as rules and protocols embedded in software, implementing KYC processes have been largely ignored. Among the 21 DEXs for which CipherTrace could identify a host country (as most of the 51 DEXs examined in the study were effectively “country-less”), 81% had no KYC processes at all.
Jevans told Cointelegraph, “The jury is still out on how DEXs will be treated, but most likely they will be required to comply with BSA-type regulations — particularly the DEXs operated by large, well-capitalized, centralized firms and organizations.” Europe, in particular, may become problematic for “pure DeFi” players because crypto-asset issuers under the new MiCA directive “will need to have a legal entity to do business with citizens of Europe.”
In March 2019, Coinfirm examined 216 cryptocurrency exchanges and found 69% of them lacking “complete and transparent” KYC procedures. Kuskowski spoke of the progress made: “A good number of those exchanges have improved their policies and procedures. However there are new players, including in the DeFi sector, who highly disregard AML/KYC.”
Kuskowski, former global head of AML function at commercial banking giant RBS, previously wrote an article quoting consultant Adam Cochran regarding DeFi enterprises: “Many people presume there to be some sort of magical ‘peer-to-peer’ exemption that exists in these laws. I’m not sure where that myth comes from.”
KYC has limitations
These processes have their limitations, as “KYC cannot save you from hackers,” observed Laush, “you need to have cybersecurity specialists in the crypto exchange team to prevent users’ wallets from hacking.” The Mt. Gox hack — the crypto industry’s most notorious heist — was conducted by hackers who found vulnerabilities in the Japanese exchange’s transaction algorithm.
“KYC is a crucial front-line defense, and having no KYC requirements welcomes bad actors,” Spiro told Cointelegraph. However, KYC policies alone are not enough — on-chain data might arguably offer stronger risk indicators, he said.
Overall, cryptocurrency exchanges need to show that they’re a part of the financial system and that they’re ready to adhere to current regulations, including the implementation of strong KYC, said Laush, confirming that going through customer identity might make the onboarding process slightly longer, adding:
“But it has its undeniable benefits. First, regulators will see that a particular crypto exchange is a legit — or legal — business complying with rules. Second, it will create more trust with customers.”
Gemini’s Hughes told Cointelegraph: “Recent regulatory actions against noncompliant exchanges highlight that trust is difficult to gain, but easy to lose.” Gemini was one of the first crypto exchanges to conduct KYC before allowing anyone to use its platform. Its user agreement page lists 13 laws and regulations by which it abides, including AML and Counter Terrorist Financing provisions.
Cointelegraph asked Hughes if the existence of so many noncompliant crypto exchanges, as identified in the CipherTrace study, put Gemini at a competitive disadvantage. She answered: “Greater compliance has a cost, but it also has the potential to bring much greater market participants. […] We believe Gemini’s ‘compliance first’ approach is a competitive advantage.”
In sum, more regulation of VASPs is coming, and it will probably be more costly for crypto exchanges to comply with KYC and AML rules, but compliance in the longer term also offers benefits like the ability to attract more conservative investors.