Say goodbye to the under-regulated era of cryptocurrency. While crypto trading on the more mainstream exchanges is fueling the market, it’s also bringing greater scrutiny from regulators, as shown by the recent report by the New York State Attorney General’s office (OAG) on crypto exchange abuse, The Financial Action Task Force (FATF) announcements about upcoming crypto standards, and warnings to investors. And as guidance emerges and enforcement actions increase, crypto exchanges will, slowly but surely, start to look a lot more like other regulated financial markets. Just last month, the Financial Crimes Enforcement Network (FinCEN) announced that it now receives over 1,500 suspicious activity reports (SARS) on crypto a month now.
In the early years, crypto-trading occurred through a fragmented network of exchanges around the world, largely between anonymous parties. But it was the 2016-17 boom in Bitcoin, Ethereum, and Litecoin that really brought crypto trading to the attention of regulators.
As it stands, the current shifting regulatory landscape for cryptocurrencies in the U.S. is still very confusing. State and federal regulators are struggling to keep pace with the innovations in cryptocurrencies, and the speed to which trading has taken off.
An administrator or exchanger of cryptocurrency is a money services business (MSB). MSBs are considered financial institutions under the Bank Secrecy Act. This, in turn, means that they fall under the FinCEN’s oversight. The Securities and Exchange Commission (SEC) considers some cryptocurrencies and Initial Coin Offerings (ICOs) as securities, and therefore subject to securities regulations. The U.S. Commodity Futures Trading Commission also views virtual currencies as commodities. At the same time, the Financial Industry Regulatory Authority (FINRA)just recently filed its first enforcement action against an individual for marketing an unregistered cryptocurrency security. And those are just the federal agencies—the New York State Department of Financial Services (DFS), by way of example, regulates virtual currency activities through its BitLicenses and trust company charters. If that all sounds complicated, that’s because it is.
Shifting regulatory landscape
So, how should crypto exchanges navigate such a complex and shifting regulatory landscape?
Global crypto exchanges must develop and implement robust compliance programs covering a wide range of topics. And yet, for just about any crypto exchange overseeing billions in assets, maintaining exhaustive compliance programs is both time-consuming and expensive. Risk-based choices that must be made can be chancy in the absence of clear guidance and without a long history of regulatory interpretations and legal precedent.
Nonetheless, certain basic actions are clear. This begins with creating and implementing basic Know-Your-Customer requirements. But exchanges also need to implement robust anti-money laundering (AML), fraud prevention, and sanctions screening controls. Crypto exchanges whose compliance programs fail to meet regulators’ expectations will face the risk of costly enforcement actions. Just last year, FinCEN announced a significant fine against the BTC-e exchange and the owner of the BTC-e for violating AML laws, while the U.S. Department of Justice later filed criminal charges against BTC-e’s owner.
In developing their financial crime program, exchanges should think creatively about how to effectively incorporate tools into compliance and operations. As business grows and the volume of transactions increases, it will be increasingly difficult to keep up with any alerts relating to customer transactions and performing sufficient checks with respect to onboarding new customers and monitoring existing customers.
Another key area that must be a focus is market manipulation. Exchanges must create and implement a robust policy and corresponding framework designed to combat market manipulation. Market manipulation can take many forms, including trader and bot activity to artificially inflate prices (as indicated by price momentum and volume), and the failure by some trade engines who do not properly control the placement of matching orders opposite buy/sell orders.
Cybersecurity is also an ongoing, and ever-changing challenge, in which failures can take a heavy toll. Just take a look at Mt. Gox, which now faces claims of over $1 billion in lost cryptocurrency, after its own bankruptcy. Crypto exchanges are still a high priority target for hackers. Hackers put a premium on personally identifiable information (PII), such as social security numbers, making the safeguarding of customer and transactional data pivotal. Assembling a cybersecurity team is an important factor in keeping your exchange compliant. In addition to mitigating risk, a robust cybersecurity program may even be required by relevant regulations depending on where the exchange operations. The NYS DFS has issued specific cybersecurity requirements for all entities it regulates—some of those requirements include risk assessments, designating a chief information security officer (CISO), and incident management plans.
Where we go from here
It can seem like government regulations move at a snail’s pace compared to the speed of innovation in cryptocurrencies. While regulators continue to work through existing and future regulations, and we await new global FATF standards, exchanges can consider participating in a self-regulatory organization (SRO), such as the newly formed Virtual Commodity Association. There are many unanswered questions as exchanges grow, and the potential of SROs to help address issues and provide guidance is significant. We have one such example already—in June of this year, the CFTC announced that it is simplifying certain obligations imposed on an SRO when carrying out financial surveillance program for futures commission merchants.
To grow business and be competitive, exchanges will have to put in place compliance programs that are not only compliant with applicable regulations but will also protect them from financial crimes that can cause irreparable reputational damage. These compliance programs must be reliable and flexible, and constantly updated to meet the evolving requirements by federal agencies. Using robust, sophisticated tools that can automate transaction monitoring, customer screening, and certain facets of onboarding and transactions, along with setting up appropriate interfacing, will allow exchanges to devote appropriate compliance personnel and resources to the riskiest facets of the exchange and its customers. Such programs will go a long way in reassuring both regulators and verified investors that crypto trading is a legitimate financial market and that their under-regulated days are in fact a thing of the past.