While the industry of cryptocurrency matured greatly over the past decade, financial solutions that hinge on cryptocurrency are still perceived by regulators with great ambiguity. Brokers and exchanges are constantly being scrutinized closely for red flags, feeling that their future is far from certain. For exchanges, who are able to deal in fiat, the necessity of abiding by transparency regulations and rules becomes a significant chore. For such exchanges, proper processes of Know Your Customer (KYC) and Anti Money Laundering (AML) are a lifeline to legitimacy that must not be broken.
Several crypto brokers, due to the hope of providing a faster user experience, choose to ignore the crucial checkpoints of AML and KYC. Justifying their decision by claiming that significant money laundering or fraud cannot be accomplished in small amounts, such brokers and fiat-enabled platforms decide that they can allow a new account to trade without verification, up to a maximum lifetime transaction volume. In doing so, they often take a significant risk of breaking the lifeline of regulators’ trust.
Is It Safe to Give Low-Volume Fraud a Free Pass?
The common tactic of skipping KYC and AML checkpoints, as described above, entails inherent risks, which perhaps weren’t as deliberate as they should have been. Apart from raising the eyebrows of the regulators, it leaves an open door for happy fraudsters. Fraud absolutely occurs at these low volumes in countless creative ways. A key to understanding the magnitude of low-volume fraud and money laundering lies in bracing one’s technology against a user who maliciously performs multiple transactions under the disguise of several different, allegedly unrelated entities.
A nearly effortless way to skirt the maximum lifetime volume model is called Structuring: Fraudsters simply create multiple accounts at a single exchange to filter their dirty dollars or tokens through, and all will eventually point at the same destination wallet. Without proper KYC procedures, fraudsters will easily perform this type of attack without being noticed. Because of unfortunate data breaches of the last decade, attackers currently have access to so much compromised personal data, that they easily undertake massive attacks, by stacking up thousands of low-volume orders under different, allegedly unrelated, fabricated or stolen identities.
Regulators of 2020 are painfully aware of the massive data breaches of the former decade. The large early breaches, such as the 3 Billion 2013 breach at Yahoo, were not necessarily the worst ones. Often those early breaches were less hazardous than their followers, where hackers managed to reach rich personal data of their victims by attacking financial institutes. The most severe breaches of the second part of the decade were those which were almost immediately tied with increased fraud and money laundering rates around the world: 143 million records data breached at Equifax in 2017, then in 2018 and early 2019 a series of significant data breaches in Marriot, CIBC, First American Financial Corp and Facebook, affecting over 1 Billion records in total.
Data breaches gave a healthy push to the booming industry of commoditizing stolen identities. Attackers find it increasingly simple to buy bulks of stolen personal info, which can be used very quickly in order to impersonate a legitimate user or to design a well-orchestrated social engineering attack, tailored to the taste of the victim.
Armed with rich stolen personal data, fraudsters perfected a common trick called Smurfing: instead of the same person creating multiple accounts, they use a single broker, with money laundering completed by using it to make multiple transactions to unsuspecting individuals who don’t know they’ve helped the fraudster diversify. When “smurfs” and money-mules are recruited to the aid of the fraudster, detecting illegitimate activity becomes even trickier, because the innocent “smurfs” do not exhibit malicious indicators. North America and EMEA are equally prone to the risk of social engineering, with dozens of fake websites going live on a daily basis to lure in unsuspecting “smurfs.”
Structuring, Smurfing, and many other less known schemes make it easy for fraudsters to exploit the naïve approach of organizations that assume that fraud and money laundering don’t occur in low amount transactions. Most cryptocurrency brokers don’t have the technology to determine if any bad actors are floating around in their ecosystems, and this corner-cutting represents a big problem ahead of the rollout of Europe’s fifth anti-money laundering directive—or 5AMLD.
The Rising Star of the DeFi Project, GIBXSwap, Passes CertiK Security AuditGo to article >>
The KYC Bar is Higher in 2020
Come January 2020, brokers will need to take additional measures to prevent money laundering by acting to promote transparency, sharing of information, and implementing more stringent AML protocols per 5AMLD. That means applying KYC practices to all transactions, no exceptions, and investing in the technology that makes these identification verification and data sharing processes less of a burden on user experience.
All cryptocurrencies themselves are considered “obliged entities” under 5AMLD, leaving no room to escape the stringent KYC requirements imposed by regulators. Brokers with noncompliant practices or an absence of KYC technology to attain compliance will soon need to make a big push if they want to do business in Europe, and in the young crypto sector, the scramble to compliance is nearly audible.
Even today, before 5AMLD goes into full effect, regulators are looking at the full flow of user experience. Each and every checkpoint that the user goes through is often perceived as liable by the regulators, be it exchange, broker, or payment platform. Sanctions by regulators in case of money laundering become a financial risk in the form of fines, but also a business risk when regulators decide to limit or ban an exchange from catering to significant regions.
Falling in Line Ahead of 5AMLD
Brokers and exchanges, who were eager to jump into the crypto gold rush, may now feel unfairly bogged down by the new standards and tempted to neglect 5AMLD rules. The globality of blockchain makes this kind of cavalier operation possible, but not recommended, as KYC failures also detract from brokers’ ability to avoid clients with specific nationalities. Proof that enforcement is in effect comes in the form of fines that are already being doled out for 4AMLD noncompliance, as well.
Practically, there are all the reasons in the world for a broker or exchange to begin integrating more sophisticated KYC, not the least of which being that unification in this regard will help build a secure base for mainstream adoption and retail crypto use. The KYC solutions to lean on are numbered, though wallets and exchanges working with Simplex enjoy its high standards, advanced KYC processes.
Crypto Evolution Comes from Within
At $4.26 billion lost to fraud in 2019 amid record fines levied by the CFTC and EU regulators, cryptocurrency industry stakeholders are shaking off the mentality of the last decade and preparing themselves for a new regulatory climate. Brokers are already educating themselves to an impressive degree on what the new situation means for them realistically, the types of fraud being proliferated by savvy culprits, and how to deploy the tools they’ve found to deal with KYC and AML needs.
Though they may not be the most attractive selling point with retail users, this is a pivotal moment for the entire industry, making the collective upkeep of good faith anti-fraud practices vital for the future. If all goes according to plan, the crypto companies that get the recipe right will find an even greater foothold that’s much harder to shake when the market really starts to stir.
Nimrod Lehavi, Co-Founder and CEO, Simplex