SEC and International Regulations on Cryptocurrency - What you need to know.
The SEC has launched an investigation in to cryptocurrency exchanges. Regulation is coming – is your cryptocurrency based business ready to prove KYC/AML compliance?
Exponential Growth in Cryptocurrency
The cryptocurrency space has seen exponential growth in the last 6 months, as Bitcoin surged from around $4,000 per coin in September, to almost $20,000 at its peak in mid-December. This has attracted a huge number of new investors to the space, and lots of attention from international regulators.
International Regulation – KYC/AML
Christine Lagarde, head of the International Monetary Fund, has stated that her organization’s concern around digital currencies stem from their potential use in illicit financial activities. This is due to the anonymity associated with cryptocurrencies – it has historically been difficult for law enforcement to identify the sender and recipient of transactions, which can range from a few cents to hundreds of millions of dollars.
The Undersecretary of the U.S. Treasury’s Office of Terrorism and Financial Intelligence Sigal Mandelker took this sentiment a step further by stating that her concern is in the lack of “Know Your Customer” and “Anti-Money Laundering” regulation for “cryptocurrency providers,” including popular exchanges like Coinbase, Bittrex, and Kraken.
“The lack of AML/CFT regulation of virtual currency providers worldwide greatly exacerbates virtual currency’s illicit financing risks. Currently, we are one of the only major countries in the world, along with Japan and Australia, that regulate these activities for AML/CFT purposes. “
Sigal Mandelker, Undersecretary of the U.S. Treasury’s Office of Terrorism and Financial Intelligence
She also called for more international regulatory coordination, which was a key theme during the January 2017 World Economic Forum, as highlighted by U.K. Prime Minister Theresa May, French President Emmanuel Macron and the secretary of the U.S. Treasury Department Steven Mnuchin.
“We should be looking at [cryptocurrencies] very seriously precisely because of the way they can be used, particularly by criminals.”
Theresa May, U.K. Prime Minister
While regulators remain cautious about the risks involved, the emerging consensus is that the economic value of cryptocurrencies and the underlying technologies outweigh the risks. EU Commission Vice-President Valdis Dombrovskis said the European Union wants “Europe to embrace opportunities of blockchain”, while preventing cryptocurrencies from becoming a method of “unlawful behavior”. Similarly, the chairman of the U.S. Commodity Futures Trading Commission (CFTC,) in a testimony before congress, stressed the need for balance and a “do no harm” approach when regulating cryptocurrencies.
1. International regulators are cautiously optimistic about the opportunities in the blockchain space, and plan to work together to strike a balance between innovation and regulation
2. Know Your Customer / Anti-Money Laundering measures will be the focus for regulation, of which the burden will fall on “Cryptocurrency providers”, including Exchanges and ICO platforms.
International Regulation – GDPR
The EU General Data Protection Regulation (GDPR) extends the scope of the EU data protection law to all foreign companies processing data of EU residents. It provides for a harmonization of the data protection regulations throughout the EU, thereby making it easier for non-European companies to comply with these regulations. However, this comes at the cost of a strict data protection compliance regime with severe penalties of up to 4% of worldwide turnover.
What international regulators call “cryptocurrency providers” will fall well within the regulation of GDPR. This will require these organizations to take a hard look at how they are storing, managing and protecting user’s personal data, including email addresses, IP addresses, and cookies. Furthermore, according to the 2017 Veritas GDPR report, only 31% of surveyed businesses believe they are compliant, and only 2% of those business achieve all requirements in GDPR. This statistic points to the fact that there will be plenty of work to do for these actors to get into a compliant state, with a strong focus on user privacy, consent, and “the right to be forgotten,” which is a key article in the upcoming regulation.
With KYC/AML and GDPR regulations mounting, how are these “cryptocurrency providers” reacting?
Cryptocurrency exchanges are online platforms where you can exchange one cryptocurrency for another cryptocurrency (or for fiat currency). You can think of them as a hybrid between a stock exchange and a currency exchange, like you might see at an airport.
According to Coinmarketcap.com, there are over 130 cryptocurrency exchanges operating internationally. With the recent surge in adoption, these exchanges have seen exponential growth in both daily trading volumes and new users per day.
Increased regulation drive inability to meet demand
As international regulations begin to take shape, cryptocurrency exchanges are being forced to implement full KYC/AML programs, like those in place at traditional financial institutions. Huge penalties are also being levied against exchanges which do not comply, as demonstrated by the $110 million penalty served to the crypto-exchange BTC-e last year for failing to register as a money transmitter, and failing to implement basic KYC/AML processes.
The regulatory clampdown is happening while the exchanges are seeing record numbers of users signing up to ride the wave of increasing cryptocurrency prices. In early January, Changpeng Zhao, the founder and CEO of Binance, the global market’s largest cryptocurrency exchange with up to a $9.5 billion daily trading volume, revealed that it has added more than 250,000 users on a single day. To meet KYC/AML requirements, each one of the new users needed to have their legal identity verified, which turned out to be problematic.
On Jan. 4, Binance was forced to temporarily close their doors to new applicants. “Due to the overwhelming surge in popularity, Binance will have to temporarily disable new user registrations to allow for an infrastructure upgrade. We apologize for any inconvenience caused.” Similar pauses in new user sign up were put into place by Kraken, which is a top 5 exchange.
So where is the breakdown?
A Daunting Task – International Regulatory Compliance for Cryptocurrency Exchanges
According to CoinTelegraph.com:
“cryptocurrency exchanges are struggling to address the exponentially increasing demand from investors because of the strict Know Your Customer (KYC) and Anti-Money Laundering (AML) systems the companies were forced to implement by the authorities.
Each user application must be manually approved and verified. The failure to segregate fraudulent accounts from legitimate users could result in large fines and lawsuits for exchanges. Consequently, the vetting process of users is rigorous and requires significant efforts from the employees of exchanges.
Given that exchanges are adding more than 100,000 users per day, it is likely that exchanges are also receiving more than one million trading account approval requests per month. That is, if the approval process of accounts takes around 10 minutes per account, 166,666 hours would be required on a monthly basis, which employees must cover manually.”
On top of the KYC/AML requirements, cryptocurrency exchanges also need to deeply evaluate the GDPR requirements, and ensure their systems are in compliance. This includes introducing new features for users to manage their personal information, generating ways where users can move their PII from one exchange to the other, and storing the PII in a jurisdiction compliant manner.
Current technical requirements for crypto exchanges to achieve international KYC/AML compliance
International identity verification in compliance with KYC/AML regulation is a truly daunting task. At a high level, a single cryptocurrency exchange must address the following issues:
- International identity verification (PII used against credit buraus, etc.)
- International government issued ID verification services
- Device fingerprinting and risk analysis
- OFAC compliance
- Username and password management
- Multi-factor authentication
- Password reset, 2FA reset, and other account lock out remediation
- Data storage in compliance with global regulations (GDPR, etc.)
ID DataWeb Solution
ID DataWeb’s technology, the Attribute Exchange Network (AXN,) brings together the top providers across the global identity verification market, providing a simple toolset for cryptocurrency exchange operators to meet international KYC/AML regulations. Instead of the exchange needing to evaluate, integrate, and manage multiple tools, ID DataWeb provides a full-service integration platform to digitally verify international users, and supplement ongoing login with MFA.
The ID DataWeb advantage – fully managed KYC/AML and GDPR Compliance
- Single integration point to a network of 70+ services support 100+ countries across 3 tiers of identity verification – legal identity, relationships, and environmental context
- Integrate hosted KYC solutions tailored to your requirements and UX with your existing security systems via industry standard OpenID Connect, SAML, or Oauth2.
- Ongoing login support with multiple 2FA tools, including Biometrics, TOTP/HOTP, and conditional step up based on environmental or legal changes
- Preconfigured templates for simplified compliance (International KYC, US Investor verification)
- Configurable policy engine to map complex scenarios using cross-provider risk scores
- User consent and PII management supports compliance (GDPR, HIPPA, FCRA)
- End user ability to manage access to all personal data, and remove at a whim
The ID DataWeb Process
- Configure. Crypto exchange owner chooses which countries and which techniques to verify users. There are many preconfigured templates available in the ID DataWeb system, which may include international PII verification, government issued ID scanning + facial comparison, device risk analysis, and others.
- Integrate. Crypto exchange integrates their existing account creation and identity verification process with ID DataWeb’s attribute exchange network via industry standard OpenID Connect. ID DataWeb handles all attribute collection, verification, and decisioning in real time. Results are sent as an OpenID Connect response to the exchange to make final decision. ID DataWeb can also be integrated with the exchange’s login flows to reverify identity attributes on an ongoing basis, inspect device identity and user behavior for fraud, and trigger conditional step ups with the industries most widely used 2FA services, or more forward-thinking solutions like mobile biometrics.
- Test. ID DataWeb’s extensive suite of test data can be used to test all aspects of the integration, including international test data, documents, and preconfigured test cases.
- Deploy. Verification services can be deployed on a rolling basis, or all at once across the globe.
- Measure. When the service goes live, the results can be monitored in real time in ID DataWeb’s administrative console, where results can be evaluated, and services can be adjusted. For example, the customer may choose to change from one US credit burau data source to another for a subset of their user base, and compare the results.
As stated by international leaders, regulation in the cryptocurrency space will continue to increase over the coming years. As cryptocurrency exchange operators look ahead, they should consider a managed service approach to their regulatory compliance, as provided by ID DataWeb.
Spread the word
8330 Boone Blvd. #500, Vienna, VA 22182
Phone: (571) 723-4310