Invest in reliable assets, diversify your portfolio and choose a good crypto exchange, says a well-known maximum for investors. But as it often happens it is more easily said than done. Today we will talk about crypto exchanges and the risks related to them.
This article is based on the exclusive interviews with top-managers of several crypto exchanges. Cryptonomos is most grateful to Andrei Popescu, Co-Founder of COSS.IO; Johnny Lyu, KuCoin VP; Srdjan Mahmutovich, Kriptomat CEO; Jason Wang, CHAOEX CEO; Max Grain, Product Management Executive of Bitlish, and Alex Strześniewski, Business Development Director at CoinDeal.
There are several hundred crypto exchanges in the world (from 200 to 600+, by different estimates), and many of them know what a hacker attack is. ‘Especially lucky’ exchanges, including Mt.Gox, Bitcoinica, PicoStocks, and Bitcurex have been attacked several times.
In the three biggest hacker attacks crypto exchanges and their investors lost more than $1.3 bn. In January 2018 hackers stole $500 million worth of NEM coins from Coincheck, in February 2014 – $460 million worth in Bitcoin from Mt Gox, and in February, 2018 – $187 million worth in Nano from BitGrail.
Investors certainly do not like to lose money, especially when it happens through the fault of exchanges.
According to the ICORating’s Exchange Security Report, $1.3 bn has been stolen over the past eight years from just 30 crypto exchanges. The research showed that 32% of exchanges have bad code errors. Only 46% of exchanges protect their users’ personal details properly and have sound requirements to passwords. And only 4 percent of exchanges answer all safety requirements.
However, crypto exchanges’ lack of security is not always their fault
The crypto space is becoming more mature with the inflow of institutional money, says Andrei Popescu, Co-Founder of COSS.IO and SCX Holdings. “As soon as more institutional investors enter the space, the market will be less concentrated”, he says. Institutional money needs enterprise-grade infrastructure, and it is already there, offered by the most renowned brokers, including Goldman Sachs, JPMorgan, Bank of New York Mellon, Northern Trust, Mitsubishi UFJ Financial Group, etc.
Institutional investors are also looking for more regulatory clarity, but this is something the market is only expecting to get. May be as soon, as this or next year.
Improved regulation is something that has not emerged yet. This is especially true about Anti-Money Laundering (AML) Regulation of cryptocurrency. At present AML policies in different countries are not consistent and sometimes misleading, Allen & Overy consulting firm says. For example, in the US “a given cryptocurrency may variously be considered a currency, a security, or a commodity (and potentially more than one of these at once) under overlapping US regulatory regimes”, while in China, that boasts the strictest approach to cryptocurrency, all issuance and exchange services for cryptocurrency is effectively prohibited.
Allen & Overy defines AML Risks in cryptocurrency as ‘elevated’. Such risks include: trafficking in illicit goods, hacking and identity theft, market manipulation and fraud, and facilitating unlicensed businesses. “Anonymity, liquidity, and borderless nature of cryptocurrencies makes them highly attractive to potential money launderers”, Allen & Overy concludes.
Banks do not know how to work with crypto exchanges
According to Srdjan Mahmutovich, Kriptomat CEO, two years ago in Europe the crypto regulation was quite loose, it was quite easy to get a payment processor, or to get bank accounts. The banks did not know anything about this industry, so it was open field for all these things”, he says.
Now this has changed. “Some banks don`t want to open account, and I understand why: because of ICOs, scam, they don`t have enough knowledge to assess this. But many of them are unwilling to open accounts for exchanges. Why? Because of potentially negative PR they might get”, Srdjan Mahmutovich adds.
Banks know that cryptocurrencies are involved in 10% of the total of the $2 trillion of dirty money that is washed annually, but many of them are in no hurry to adjust their AML programs to catch cryptocurrency criminals. “Some banks are not accepting accounts related to cryptocurrency because they do not know how to handle them”, said Natasha Taft, an AML expert compliance consultant in New York, to finops.co.
Little surprise that bank AML specialists recommend that all cryptocurrency transactions made by customers from certain countries, including Russia, Venezuela, Lebanon, Iran, North Korea, the Ukraine and Turkey should be flagged as high risk. It means that banks will avoid transactions with all citizens from those countries, without looking if their money is ‘clean’ or ‘dirty’.
KYC procedure: cure-all solution or not?
To avoid the Mt.Gox situation, crypto exchanges use AML and KYC (Know Your Customer) procedures to monitor customer behavior, says Jason Wang, CHAOEX CEO. Both AML and KYC are easy for users who need only to upload certain scans of documents to do certification.
Some exchanges seem to exist only because they do not comply with AML requirements, says Max Grain, Bitlish’s Product Management Executive. However, such players will eventually close or be shut down as new restrictions clean up the market. There are bound to be regulatory challenges or changes, personnel, personality, and product issues along the way that will challenge how your AML operations takes place, he adds. This is especially important for a growing company because larger volume brings more AML related tasks.
In terms of regulation, there are a lot of crypto companies that are breaking the law, says Alex Strześniewski, Business Development Director at CoinDeal. For example, some exchanges want to add fiat currencies and allow their users to trade without undergoing KYC. “Even if there’s a limit within which you can trade (without KYC), you still break the law”, says Alex Strześniewski. Regulation is good, he says, although it will be much more difficult to acquire new clients.
“You can probably look at that like Forex, where you have to go through KYC, and I think some of the biggest exchanges are going to be basically chased for their users: user profiles, who’s trading on that platform, and I think we are going to see a really big decrease in the biggest exchanges’ trading volumes, because they’ll maybe make them go through KYC and then just cut off half the countries, which are troublesome”, says Alex Strześniewski.
KYC that is supposed to protect both crypto exchanges and investors turned out to be only a half-measure, because it also created a thriving black market for fake IDs. On Internet, including specialized Telegram channels, it is possible to buy (and sell) fake IDs, necessary to pass KYC: passport scan, selfie, scanned bank statement. These documents can be bought for as little $50; and investors snap up fake IDs as a means of protecting their own identity.
Investors have good reasons for being frustrated. If the mailing list gets leaked, there will be attempts to socially engineer them, sell the addresses on the black market or even blackmail their owners, claiming to have filmed the victim watching online porn and threatening to send the video to their friends and family. It is little wonder that people prefer to pay $50 for fake ID to avoid all this, which makes KYC a useless tool.
“Exchanges need more database from different countries and authorities (terrorists, people under sanctions, etc.) to verify each user and make sure all data is trackable”, says Jason Wang.
Crypto exchanges still have to do some homework and close loopholes to ensure security of investor money. However, regulators from different countries are also expected to do some homework to make the crypto space safer. The market needs some technical tools for AML and CTF monitoring to become more mature and ‘enterprise-grade’ to answer interests of ‘big money’ and institutional investors.