While it’s possible to buy top cryptocurrencies like bitcoin (BTC) and ether (ETH) in the over-the-counter (OTC) market, most people will need an exchange in order to buy other altcoins. Exchanges are simply an important component of the system that makes the crypto market tick. Regulators around the world have identified this, which is why regulatory moves have primarily targeted exchanges. Regulators want to be sure that exchanges employ the best security practices as well as measures — Know Your Customer (KYC), Anti-Money Laundering (AML), and Combating the Financing of Terrorism (CFT), for instance — that discourage illicit transactions and improve account/wallet security.
Some exchanges do take their compliance to those measures seriously. For example, in the aftermath of the Binance hack on May 7, when around 7,074 bitcoins (worth $40 million on the day) were stolen, the company’s founder and CEO, Changpeng Zhao, announced that a significant security update will be conducted that will also include an upgrade to the KYC measures:
“We are making significant changes to the API, 2FA, and withdrawal validation areas, which was an area exploited by hackers during this incident. We are improving our risk management, user behavior analysis, and KYC procedures.”
So, let’s break down if such a stance over compliance with measures like KYC, AML and CFT is common among top cryptocurrency exchanges, and how much of an effect they have on the market and its participants.
What are KYC, AML and CFT
Each country has its laws governing KYC, AML and CFT measures. However, these laws do not come with specific standards, mainly because regulators want financial institutions to do all they can to reduce risks.
“The reasoning seems to be that if banks get clear guidelines on what constitutes adequate KYC they will never look any further than the minimum requirements,” John Callahan, chief technology officer at Veridium, an identity and access management software company, wrote in Forbes.
Know Your Customer
Know Your Customer, refers to a set of procedures and process that a company employs to confirm the identity of its user or customer. The robustness of KYC procedures varies across companies and jurisdictions. However, KYC fundamentally involves the collection and verification of a customer’s means of identification — including government-issued identity cards, phone numbers, a physical address, an email address and a utility bill, to name a few.
Anti-Money Laundering measures are a set of procedures, laws and regulations created to end income generation practices through illegal activities. Some of them include tax evasion, market manipulation, public fund misappropriation, trade of illicit goods and other activities of this kind.
AML regulations require financial institutions to continuously conduct due-diligence procedures to detect and prevent malicious activities.
The crypto industry has already been cited as facilitating a “rise of a new, high-tech era of virtual money laundering,” with cryptocurrency gambling sites reported by blockchain research house CipherTrace as being a common money laundering tool. In addition, Jamal El-Hindi, the former acting director of the Financial Crimes Enforcement Commission (FinCEN), a part of the United States Department of Treasury, hinted that AML compliance will be fundamental to the stability of crypto exchanges in the coming years:
“We will hold accountable foreign-located money transmitters, including virtual currency exchangers, that do business in the United States when they willfully violate US AML laws.”
Combating the Financing of Terrorism (CFT)
Combating the Financing of Terrorism refers to the set of procedures aimed at investigating, dissecting, discouraging and blocking sources of funding intended for activities that realize religious, ideological or political goals through violence, or its threat thereof, against civilians. These procedures provide law enforcement agencies with an alternative, and potentially effective way to track and block terrorist activities.
Yaya Fanusie, the director of analysis for the U.S. Foundation for Defense of Democracies Center (FDD), earlier in September 2018, told the U.S. Congress that terrorist organizations aren’t using cryptocurrency as a funding vehicle. However, the U.S. House of Representatives, on Sept. 26, passed a bill that would establish a task force to fight the use of cryptocurrencies by terrorist groups.
How crypto exchanges approach KYC, AML and CFT compliance
As stated earlier, the process of regulatory compliance for AML and CFT involves KYC throughout transaction lifecycles. The KYC process is generally divided into four levels, namely:
- Customer acceptance policy (CAP), which is the stage where a company determines and documents the demographics of its desired customers.
- Customer identification program (CIP), which is the stage where the company confirms that the identity of a (potential) customer matches its CAP.
- Continuous monitoring of transactions to ensure regulatory compliance, identification of suspicious activities and risk management.
- Risk management
Based on the information available, it can be examined how exchanges handle these stages. Crypto exchanges will be divided into two groups namely the “fiat-to-crypto” exchanges and “crypto-to-crypto” exchanges. Fiat-to-crypto exchanges are the gates for new fiat money to enter the cryptocurrency market. These exchanges allow users to exchange fiat currencies like dollars for bitcoin, ether or any other supported cryptocurrency. Crypto-to-crypto exchanges, on the other hand, primarily allow users to exchange one cryptocurrency for another.
A few top fiat-to-crypto exchanges include Coinbase, Coinbase Pro, Gemini, Bittrex, Kraken, Bitfinex and Bitstamp.
Fiat-to-crypto exchanges typically perform at least some level of KYC because they deal with fiat money. This forces them to conduct business with banks and other traditional financial institutions, most of whom conduct KYC procedures before doing business with any entities.
Coinbase is a licenced crypto exchange based in the U.S. A full list of the licenses it holds is here. All that the exchange requires to open an account is a full name, an email address and a password. While this means that anyone from anywhere in the world can store, send and receive cryptocurrencies using a basic Coinbase account, ID verification is required to buy and sell cryptocurrency in the 33 countries it supports.
For its KYC, Coinbase chose Jumio’s digital identity solution Netverify in an attempt to be regulatory compliant while still delivering a smooth customer experience. In a bid to further mollify regulators, the company hired former New York Stock Exchange executive Peter Elkins to build the Coinbase Trade Surveillance Program, an initiative to monitor the markets with the aim to weed out bad actors.
Also licensed by the U.S. government, Gemini, unlike Coinbase, conducts KYC before allowing anyone to use its platform. On its user agreement page, Gemini states at least 13 regulations — including FinCEN, AML and CTF regulations — to which the users of its platform must be compliant. The exchange was launched in 2014 by brothers Cameron and Tyler Winklevoss.
At the start of the second quarter of 2018, a few months before Coinbase’s trade surveillance reports surfaced, Gemini partnered with U.S.-based stock exchange Nasdaq, which is one of the two largest exchanges in the world, for the deployment of Nasdaq’s SMARTS Market Surveillance technology to track market manipulations and fraudulent trades. The surveillance moves from both Gemini and Coinbase put them in the third stage of the KYC process.
Bitstamp requires ID and address verification before users can start trading on the platform. In the wake of surged interest in bitcoin, the exchange partnered with Onfido in February 2018, a digital identity verification provider, to handle its KYC to the end in order to make the customer onboarding process frictionless. Bitstamp was originally founded in Slovenia in 2011, but moved to the United Kingdom in 2013, and then to Luxembourg in 2016.
On Nov. 5, Bitstamp chose Cinnober’s crypto trading system for its exchange. Cinnober claims that its trading solution is built for regulatory compliance. The solution also employs Irisium’s market surveillance technology for risk management. Cinnober boasts a list of customers, including the NYSE, the London Stock Exchange, Euronext, and the Johannesburg Stock Exchange, to name a few.
Developed by fintech company iFinex, Bitfinex allows crypto users to open an account and immediately deposit, trade and withdraw crypto without identity verification. However, verification of a phone number, a residential address, two forms of government-issued ID and a bank statement is required to deposit and trade fiat currencies.
Earlier in the year, Bitfinex employed Irisium’s market surveillance technology to detect fraudulent behavior on its exchange. Bitfinex is based in Hong Kong.
Bittrex requires ID verification before allowing users to deposit, trade or withdraw cryptocurrencies. However, other than having a user agreement page that says its operations comply with KYC, AML and CTF policies — as does every other exchange — it is unknown if the exchange employs a market surveillance technology or plans to do so.
Kraken launched following two years of product development and beta testing, making it one of the oldest crypto exchanges. It has five tiers of verification (tier 0 to 4) requirements, depending on users’ intent to use their account. Kraken founder Jesse Powell decided to build the exchange after seeing the struggles of the then-largest — but now defunct — crypto exchange Mt. Gox.
Unlike Gemini and Coinbase, Kraken doesn’t appear to have any publicized surveillance program. All that is known comes from a Kraken blog post that was issued in response to the New York attorney general’s questionnaire. The company said:
“We currently employ nearly 200 people (more than 25% of the company) in compliance-related functions. As of Q1 2018, we are processing more than 1 law enforcement request per day, seven days a week.”
At the end of the second quarter of this year, a Bloomberg report called out irregularities involving certain tether trades on the Kraken exchange. John Griffin, a professor of finance at the University of Texas, told Bloomberg that the irregularities noticed are “suggestive of wash trading.” This technique is sometimes employed by traders, who act as both seller and buyer in a given transaction, to give a false impression of supply and demand. This act in itself is illegal. Kraken discredited the content of the report in a blog post. “It’s not clear what harm could come from wash trading of a pegged asset against its peg,” Kraken wrote.
Based on data from CoinMarketCap, top crypto-to-crypto exchanges include OKEx, Binance, Huobi, HitBTC, Bibox, ZB.com, Coinbene and LBank.
Binance, being a pure cryptocurrency exchange, isn’t as exposed to regulations. Therefore, it allows withdrawals of up to 2 BTC per day without any form of ID verification. For withdrawals up to 100 BTC per day, it requires photo ID verification.
OKEx, which partially allows fiat trades, has three levels of verification. Level 1 users have a transaction limit of $10,000 per order or $2,000 for fiat trades, and are required to provide a government-issued ID during verification. Its level 2 allows for trades over $10,000, and requires document verification. Level 3 is for trades above $200,000 and involves video verification.
HitBTC doesn’t perform any form of ID verification at account opening. Users can deposit and trade crypto without going through any KYC procedures. However, the exchange advises users to verify their identity by sending in the usual KYC documents, including bank documents, to its compliance department via email to “avoid eventual verification procedure in the future.” Users have taken to a number of social media channels to complain that HitBTC allegedly limited their accounts, with the exchange operator asking them to verify their identities.
Huobi doesn’t appear to require any KYC documents before allowing users to trade, but it does have an ID verification section in the settings area of a user’s account. It appears to only enforce KYC when users reach a certain account usage limit. In addition, Huobi has different withdrawal limits for verified and unverified users.
Bibox allows users to trade up to 2 BTC per day without any form of KYC verification. For trades up to 20 BTC per day, it requires a passport verification. On its website, Bibox advises users who want a higher limit to reach out to its support team via email. All that is required to deposit funds and start trading with Bibox are account security measures, including SMS and Google authentication.
Should crypto exchanges take KYC seriously?
Put simply, similar to fiat-to-crypto exchanges, the top crypto-to-crypto exchanges, as determined by their 30-day volume on CoinMarketCap, have some sort of KYC policy that they enforce at different stages. However, many of them haven’t been proactive about compliance.
“To gain respect and empathy from regulators, crypto exchanges need to be proactive about compliance,” Tony Mackay, who recently launched the Kryptos-X exchange, said. He went on:
“At the minimum, you want to get the on-boarding stage right, even if the crypto market is currently under-regulated. You also want to ensure that your user registration system can detect and deter criminal activities, using the expertise of best-in-class KYC/AML providers.”
Also, unlike their fiat-to-crypto counterparts, crypto-to-crypto exchanges — except for Binance — haven’t been reported as monitoring or tracking transactions to detect market manipulation or fraudulent behaviors.
In October, Binance partnered with Chainalysis, a compliance and investigation company catering to the cryptocurrency space. As part of the partnership, Chainalysis did a global roll-out of its compliance solution, which has a Know Your Transaction (KYT) feature. KYT is a real-time transaction monitoring solution for cryptocurrencies. U.S. agencies — including the IRS and FBI — are using Chainalysis’ solution to track cryptocurrency transactions.
Is it worth playing by the rules?
A recent report from P.A.ID Strategies, a payments and identity security consulting firm, found that the majority of crypto exchanges “lack sufficient background checks.”
It also claims that exchanges, at best, take a reactive approach to being compliant. Only a few have set up a system for monitoring behaviors and appear prepared to deal with regulators despite the under-regulation of the industry.
A recent emerging trend in the crypto space has been that of exchanges closing their offices in highly regulated jurisdictions and setting up shop in jurisdictions — such as Malta — where the local laws are “crypto friendly.” Binance and OKEx are the most notable examples.
For some crypto firms compliance is a double-edged sword in that on one side, firms ensure that no illicit activity is conducted on their platforms, while potentially compromising on the notion of decentralization on the other side.
In June 2019, new Financial Action Task Force (FATF) guidelines will be imposed that govern AML and CFT activities. The announcement from February states:
“Countries should ensure that VASPs [virtual asset service providers] are subject to adequate regulation and supervision or monitoring for AML/CFT and are effectively implementing the relevant FATF Recommendations, to mitigate money laundering and terrorist financing risks emerging from virtual assets. VASPs should be subject to effective systems for monitoring and ensuring compliance with national AML/CFT requirements.”
There are many who disagree with the tightening of controls, saying that, first of all, it would be difficult to set up domestic regulatory bodies, and in the meantime, companies may suffer as they will become overburden by reporting.
It is also not always possible to know the identity of the beneficiary, whom the destination wallet belongs to and what type of a wallet it is, according to Chainalysis. The company states that it would be more beneficial to collect wallet addresses of bad actors instead of user’s personal information.