Custodian wallet providers and crypto exchanges are subject to stricter regulations year by year. As the number of cryptocurrency users continues to grow, the outlook for custodian cryptocurrency businesses remains positive. At the same time, these businesses face serious risks, especially around crypto exchanges, security, and compliance.
Considering the crypto exchanges that have been subjected to many attacks over the years, the strictness of the law may be justified. At the same time, U.S. and Japanese regulators have imposed heavy fines on exchanges in recent years for inadequate consumer protection regulations and anti-money laundering (AML) programs.
This phenomenon is likely to become more common as regulators try to tighten further and enforce cryptocurrency-specific regulations.
Of course, avoiding negative consequences is not the only reason why these platforms take security and legal compliance seriously. These are also key to building trust with potential new users, especially as cryptocurrency takes over, and newcomers are looking for the most secure services.
Direction of regulation
The main direction of regulation is determined by the FATF (Financial Action Task Force).
The Financial Action Task Force, also known by its French name, Groupe d’action financière, is an intergovernmental organization founded in 1989 on the initiative of the G7 to develop policies to combat money laundering. In 2001, its mandate was expanded to include terrorism financing.
The regulation of crypto platforms is determined by the country’s legal system in which the company operates. However, it is very likely that these regulations largely reflect the FATF rules for financial services companies. These rules generally fall into three categories:
- KYC (Know Your Customer)
The customer identification rules require the collection of personally identifiable information from users. On the one hand, confirm that they are not subject to specific restrictive measures (sanctions). On the other hand, in case they should be registered in case of future suspicious activities.
- Transaction Monitoring
All crypto businesses should continuously monitor transactions to prevent suspicious activity that could lead to money laundering, terrorist financing, or other financial crime forms.
- Quick response to activities deemed risky
If a company considers one or more transactions to be risky, it must comply with various rules. These include the obligation to contact the user directly, keep records, and report to the competent enforcement authorities.
Let’s take a closer look at these categories.
Gathering KYC Information
During client verification, the crypto platform associates each account with its real identity. As part of the KYC process, accessible to users information is as follows:
- ID card or driver’s license
- Date of Birth
- Mobile Phone
- Utility bills or other residence documents (bank statements, fixed telephone bills, mobile is NOT permitted)
Whether that data to identify which stage is requested by each platform, there is no precise regulation. Most companies only allow you to register by entering an email address, but most U.S. cryptocurrencies ask for complete verification when you sign up.
However, when a user starts making transactions with large amounts – usually $ 10,000 per transaction – it is legal to begin keeping records with information such as name and address. So, while some cryptocurrency businesses choose to collect all possible KYC information during registration, others use a multi-level system in which more and more information is needed to maximise the value a user wants to transact. The right approach depends on the business model and customer base.
Example of a multi-level customer identification system:
Tier 1: $ 0 – $ 1,500 email and mobile verification
Tier 2: $ 1,500 – $ 10,000 ID picture verification
Tier 3: $ 10,000 – $ 50,000 address verification
Tier 4:> $ 50,000 enhanced due diligence
The next step after customer identification is sanction screening. The goal here is to find out if there are any penalties for the user. Companies do this with different service providers, which have a consolidated database for each sanction. This type of inspection should be performed at the time of registration and from time to time by compliance officers.
In addition to sanction screenings, it must also be ensured that the customer is not a PEP (Politically exposed person). The definition of this may differ from one jurisdiction to another. In some countries, it applies only at the governmental level, while in other countries, it also applies to those involved in local politics. These individuals are at greater risk of bribery or other financial corruption.
Finally, a so-called media content check can also occur. The officers try to filter out whether any content has appeared connected with the user’s crime in any media in the world.
Most checks are done using artificial intelligence, but there are still many manual items that can be a reason for protracted verifications.
Crypto platforms must constantly monitor the transactions that users make from their addresses stored on the platform to confirm that they are not sending or receiving money from crime. FATF-compliant jurisdictions must keep records of all suspicious transactions, all transactions above a certain amount, and cases in which users attempt to conceal such activities.
For example, FinCEN (the U.S. Financial Intelligence Agency) requires cryptocurrency companies (like all other financial services companies) to submit Currency Transaction Reports (CTRs) for all deposits, withdrawals, or currency conversions (e.g., Bitcoin USD). From Bitcoin to Ethereum, etc.) that are equal to or greater than $ 10,000.
Crypto companies in FATF countries must also comply with the so-called Travel Rule, which requires that sending and receiving users be identified on either side of transfers over $ 3,000 worth of cryptocurrency and forwarded to the other side of the transaction. In case the second provider is also a custodian service provider (known as a virtual asset provider as VASP).
Finally, cryptocurrency businesses must keep records and report transactions that, while not specifically related to illegal activity or a violation of FATF rules, appear to be an attempt to conceal such activity or are otherwise suspicious.
Structured transactions. Structuring is when a user makes multiple transactions with amounts that barely exceed the payments that would require reporting under FATF rules. For example, if a user creates numerous transfers to another service address with a cryptocurrency value of just under $ 3,000, you will need to report it, as this may be an attempt to circumvent the travel rule.
Speed increase. An increase in speed is understood when a user suddenly and drastically increases his trading activity. For example, a user who starts trading from once a week to twenty times a week should be recorded in the registry.
Identical parties. For example, if an inspector notices that 20 users have started sending money in the past month to an address not related to any known service, it is worth noting if more suspicious activity occurs later.
Abnormal activity. Abnormal activity refers to any sudden change in the trading behavior of the user, in particular, a significant increase in volume. For example, if a user who has traded about $ 100 worth of cryptocurrency per week suddenly makes a transaction worth $ 10,000 in a week, that activity should be recorded as suspicious and possibly reported.
Reactions to Suspicious Activities
Various crypto companies, whether an exchange or a wallet provider, have robust compliance policies and personal infrastructure. The baseline is the risk-based approach required by law.
The magnitude of the risk posed by suspicious or illicit transactions depends mainly on the amount of funds involved and the risk’s weight. A user who sends thousands of dollars worth of cryptocurrency to a darknet market should clearly be considered much riskier than making a deposit of a few hundred dollars for a gambling service. Most cryptocurrency companies respond to one of the following methods when users execute a risky transaction, depending on the level of risk introduced and the user’s past risky activity:
- Before determining the severity of the event in question, contact the customer to explain
- Freezing user’s funds
- Restricting a user, a larger amount of transaction is not allowed (which would trigger the next KYC level if the company uses a multi-level KYC system)
- Banning the user from the platform
The verification duration is not regulated by law, so that anything can happen. Good luck!