Crypto compliance - A Challenge That Has To Be Solved In 2022

By Uldis Tēraudkalns, CEO of Nexpay

Compliance remains a huge headache for crypto operators and buyers. We simply have to get to grips with it in 2022.

The picture was not pretty in 2021. Binance, the world’s biggest cryptocurrency exchange, was investigated by the U.S. Justice Department and Internal Revenue Service, trying to get to grips with potential money laundering. Authorities from the U.K.,Japan and Germany, among others, also had concerns. A few months before that, U.S. federal prosecutors laid charges under the Bank Secrecy Act against BitMEX for permitting thousands of U.S. customers to trade while publicly claiming to have prevented that. Three BitMex officials pleaded not guilty and are due to go on trial in March 2022. People are at risk of going to jail. 

Hardly surprising then, that the number of crypto compliance professionals expecting compliance to be a future priority rose from 53% to 86% in just four months in 2021. Extraordinarily, 20% of them don’t yet have a policy.

Too big to handle

A big part of the problem is the sheer diversity of regulation. Realistically, it’s too much for any organization to be able to handle. 

Take state sanctions compliance, for example. In a borderless world of digital finance, cross-border rules are erratically enforced and can come from just about any direction. Binance — showing that it really does take compliance seriously — regularly deactivates accounts owned by Iranians and Cubans - countries where the U.S. has stringent controls. In a similar vein, ConsenSys Academy, one of the industry’s leading Ethereum ETH/USD -centric educational organizations, banned roughly 50 Iranian students from its online platform in November 2021. And custody startup BitGo was penalized in 2020 by the U.S. Office of Foreign Assets Control (OFAC) for inadequate controls on users from sanctioned jurisdictions.

To cut the challenge down to size, regulators should focus on regulating centralized crypto exchanges and wallets instead of trying to regulate on-chain transactions and decentralized applications. By concentrating their energy on centralized exchanges, regulators can ensure not only AML, but also consumer protection, investor protection, market integrity and other important safeguards that can and should be applied to centralized businesses who handle funds for people. I don't mean just shutting unsophisticated investors out: The exchanges should have to prove that they are preventing abuse of retail investors by more sophisticated traders via market manipulation. Trying to regulate decentralized protocols, on the other hand, is like trying to regulate the wind : a waste of time; it will always find another way. 

The Travel Rule

In the US, FinCEN has proposed two major rule changes for banks and virtual asset service providers (VASPs). One concerns the so-called ‘Travel Rule’, an attempt by the Financial Action Task Force (FATF) to prevent people picking and choosing the most favorable set of international regulations, by imposing a threshold that triggers mandatory collection and retention of transmit transfer information on international payments. 

Initially, the Travel Rule only applied to banks. However, in 2019, the FATF extended it to crypto companies and now G20 countries and many other jurisdictions too have brought the Travel Rule into their local AML laws. FinCEN has now proposed reducing that threshold from the $1,000 under FATF regulations to just $250 if the transfer begins or ends outside the United States. A final decision, originally expected in Fall 2021, now looks likely for early 2022.

However, implementing the Rule is simply unrealistic and creates an unreasonable headache for crypto operators. Aside from the difficulty — or impossibility — of devising a travel rule system everyone is happy with, there is also the challenge of knowing who owns which address on the blockchain and who to share any information with.  What we have now is a piecemeal approach, where firms in more buttoned-up jurisdictions like the U.S., Switzerland, and Singapore are rolling out products for registered crypto firms in those regions.

If centralized regulation can work in traditional finance, where it’s the operators who are regulated rather than the technology, it can also work in crypto. I don't see a difference between a bank or stock exchange on one side and a crypto exchange or custodial wallet operator on the other. They should all be able to abide by most of the same rules.

Verify customers properly

The underlying problem is that getting hold of fake documents is not as difficult as you might expect. Typing ‘buy fake IDs’ on Google Search will give you an idea of the problem facing crypto compliance teams. Prices start at just €1 in some countries, with documents often taken from leaked databases. An already verified account is available for around $300. More sophisticated scammers might prefer to intercept documents and photos transferred on unsecured Wi-Fi or use technologies like deepfakes.

Crypto businesses are especially vulnerable to abuse by scammers if they don’t have proper ID verification, with liveness checks and additional checks for unlikely customer groups. The sophistication of today’s social engineering attacks, where victims essentially do the work for the scammers and are more complicated to catch than a fake document, plus the additional vulnerabilities created by remote desktop access – all this makes scamming an existential question for the industry.

And as the mainstream banks move into crypto territory, this is going to be big for them too. A 2020 global survey found that banks spend more than 5% of total revenues on compliance with an average onboarding process of thirty days. Nearly 10% of banks have no process for ensuring that client records remain up to date, meaning they risk another kind of non-compliance with data protection laws like the EU GDPR.

Don’t postpone compliance  

CZ from Binance recently said that “compliance is a journey” and there is truth in that, especially for small and fast-growing companies. However, there are things on which you just cannot compromise when it comes to building a long-term sustainable business. Unfortunately in the crypto industry there has been underinvestment in compliance, which will lead to problems down the road. You can understand why businesses are reluctant to eat into their profit margins: 

compliance is what retailers call a “distress purchase” — something you really don’t want to spend money on. But taking on that investment is likely to save costs, reduce reputational damage and even help avoid imprisonment in the long term.

This has been a gap in the build up of the crypto industry for too long. It’s a challenge that has to be solved in 2022.