The Ultimate Guide to Security and Compliance for Cryptocurrency Businesses
As the number of cryptocurrency users continues to increase and financial institutions like JP Morgan warm up to the industry, the outlook for custodial cryptocurrency businesses remains positive. But as history has shown us, these businesses, especially exchanges, face major risks around security and compliance.
Consider the many exchanges that have been hacked over the years: Upbit had $49 million worth of cryptocurrency stolen in an incident last year, Coincheck $534 million the year before that, and Mt. Gox was infamously forced to shut down after losing $473 million in 2014 — the list goes on and on. At the same time, regulators in the U.S. and Japan have levied large fines at exchanges in recent years for insufficient consumer protections and anti-money laundering (AML) programs. This is likely to become a more frequent occurrence as regulators seek to further codify and enforce cryptocurrency-specific regulations.
Of course, avoiding negative consequences isn’t the only reason to take security and compliance seriously. They’re also crucial to building trust with potential new users, particularly as cryptocurrency goes mainstream and newbies seek out the safest services. That’s why in this blog, we’ve teamed up with Fireblocks to give you a comprehensive guide to the steps you must take to comply with FATF regulations and keep your customers’ funds safe from cybercriminals.
Compliance for cryptocurrency businesses: How to follow FATF regulations
As a cryptocurrency business, the jurisdictions in which you operate will determine the exact regulations you must follow, but chances are they’ll largely mirror those laid out by FATF for money services businesses. These rules generally fall into one of three categories:
- Know your customer (KYC). These rules dictate the collection of identifying information from users, both to confirm they aren’t subject to sanctions and to have on file in case of future suspicious activity.
- Transaction monitoring. Every money services business must monitor transactions on an ongoing basis for suspicious activity indicative of money laundering, terrorism financing, or other forms of financial crime.
- Responding to risky activity. If you’re monitoring transactions effectively, you’ll undoubtedly encounter some risky behavior that you need to address in terms of dealing directly with the user, recordkeeping, and reporting to relevant enforcement bodies.
Below, we’ll cover each of these three compliance areas in greater detail.
Collecting KYC information
The KYC process is a cryptocurrency business’ way of connecting every account on its platform to a real world identity. Pieces of information you might ask for from users as part of the KYC process include:
- Email address
- State issued identification or driver’s license
- Date of birth
- Social security number
- Phone number
- Physical address
- Utility bill or similar document to act as proof of address
Keep in mind that there are no rules dictating exactly what information must be collected and when. In most jurisdictions, it’s perfectly legal for a cryptocurrency business to let users sign up and start transacting with nothing more than an email address, though the norm for U.S. exchanges today is to ask for identification upon signup. However, it’s only when users begin transacting in large amounts – typically $10,000 USD per transaction — that a business would legally need to begin keeping records with information like name and address. So, while some cryptocurrency businesses opt to collect all possible KYC information upon sign up, others employ a tiered system in which more KYC is required the more value the user wants to transact with. The right approach depends on your business model and customer base.
- Tier 1: $0 – $1,500. Email and phone verification
- Tier 2: $,500 – $10,000. Photo ID verification
- Tier 3: $10,000 – $50,000. Physical address verification.
- Tier 4: >$50,000. Enhanced due diligence.
Regardless of when in the customer lifecycle you collect it, once you have a verified document proving a user’s identity, the next step is to conduct sanction screening. The goal here is to figure out if the user is subject to any sanctions. Government bodies of multiple countries, including OFAC in the U.S. (so far the only to include any cryptocurrency addresses on its sanctions list) and the Bank of England in the U.K., maintain their own sanctions lists, so the easiest way to screen is to use a service like Thomson Reuters or Refinitiv. These services consolidate all relevant sanctions lists so that you don’t have to check each one individually or periodically check if existing users have been sanctioned since being onboarded. In addition to sanctions screenings, you can also use these services to conduct politically exposed person (PEP) screenings, which tell you if a user is a government official at higher risk for bribery or other forms of financial corruption, and adverse media screenings, which look across a variety of news sources for evidence that a potential user may be involved in criminal activity.
As a custodial cryptocurrency business, you need to monitor the transactions your users conduct from their addresses hosted on your platform to confirm they aren’t sending or receiving funds from criminal entities. FATF-aligned jurisdictions also typically have rules dictating that you keep and share records of any suspicious transactions, all transactions above a certain size, and instances in which users may be attempting to conceal such activity.
Let’s start with monitoring for criminal activity. You need some way of knowing when your users send or receive funds from cryptocurrency addresses associated with illegal activity such as those belonging to darknet markets, sanctioned individuals, scammers, and other cybercriminals, so that you can quickly take action (we’ll cover the specific actions soon). Luckily, services like Chainalysis Know Your Transaction (KYT) can tell you in real time when your users are transacting directly with risky addresses. But you also need to consider indirect exposure as well. Your reporting responsibilities go beyond the first address sending funds to your service from the outside, and the effort required for a bad actor to set up a third address acting as an intermediary between your platform and those criminal addresses is trivial.
Besides monitoring for explicitly risky activity, your jurisdiction likely requires you to file and report certain types of transactions. For instance, FinCEN requires cryptocurrency businesses (as well as all other money services businesses) to file Currency Transaction Reports (CTRs) for any deposits, withdrawals, or currency conversions (i.e. Bitcoin to USD, Bitcoin to Ethereum, etc.) of equal or higher value to $10,000. Most FATF member countries have an equivalent rule in some form. Cryptocurrency businesses in FATF countries also must follow the Travel Rule, which requires them to identify the sending and receiving users on either side of any transfer above $3,000 worth of cryptocurrency, and transfer that information to the service on the other side of the transaction, provided that second service is also a custodial cryptocurrency business (known as a Virtual Asset Service Provider, or VASP in FATF terms). It’s also important to keep in mind that specific states or regions within jurisdictions often impose their own rules on top of those set at the country level. For instance, cryptocurrency businesses operating in New York state must obtain a unique license from the New York Department of Financial Services and follow unique rules around the specific coins they can facilitate usage of, amongst other provisions.
Lastly, cryptocurrency businesses must keep records of and sometimes submit reports on transactions that, while not explicitly associated with illegal activity or in violation of FATF rules, appear to constitute an attempt to hide such activity or are otherwise suspicious. Examples include:
- Payment structuring. Structuring occurs when a user conducts multiple transactions at amounts just below those that would trigger reporting under FATF rules. For instance, if a U.S. user makes multiple transfers to an address at another service of just below $3,000 worth of cryptocurrency, you need to report it, as it could represent an attempt to circumvent the Travel Rule.
- Velocity increases. A velocity increase refers to an instance of a user suddenly and drastically increasing their trading activity. For example, a user who quickly goes from trading once per week to trading twenty times per week would be worth noting in your records.
- Common counterparties. You should take note of any unknown addresses that numerous users are transacting with, especially at large volumes. For instance, if you notice that in the last month 20 users have begun sending funds to an address not associated with any known service, it’s worth making a note of it in case more suspicious activity occurs later.
- Anomalous activity. Anomalous activity refers to any sudden change in a user’s trading behavior, especially large increases in volume. For instance, if you operate an exchange and a user who has been trading roughly $100 worth of cryptocurrency per week suddenly makes $10,000 worth of transactions in a week, you should record and possibly report that activity as suspicious.
Responding to suspicious activity
Once you’re monitoring transactions for suspicious activity, what should you do when you spot it? Make sure that you’re asking this question before you’re actually faced with suspicious activity. It’s crucial that you come up with a plan for all possible scenarios, including grey areas and workflows for assessing unforeseen scenarios, and translate them into well-documented policies and procedures for your compliance team.
Our recommendation for any compliance policy? Take a risk-based approach.
There’s no single blanket compliance policy that will work for every cryptocurrency business. But every policy should start with an understanding of the organization’s risk tolerance, and from there set out responsive actions for all forms of suspicious activity based on how much risk they introduce. The amount of risk a suspicious or illicit transaction introduces depends largely on the amount of funds transacted and the severity of the risky counterparty — a user sending thousands of dollars’ worth of cryptocurrency to a darknet market should clearly be considered much riskier than one sending a few hundreds’ worth to a gambling service. Most cryptocurrency businesses respond in one of the following ways when users conduct a risky transaction, depending on the level of risk introduced and previous risky activity exhibited by the user:
- Contacting the customer for an explanation of the transactions before deciding whether or not to take action
- Freezing the user’s funds
- Restricting the user from transacting with larger amounts that would trigger the next KYC tier (if the business is indeed using a tiered KYC collection system)
- Banning the user from the platform
Again, no single policy makes sense for every exchange, so you need to think in advance about which of those responses you’ll employ depending on the riskiness of the activity in question.
In any event, if a user’s activity is suspicious enough for you to take any of the above steps, it also means you should file a Suspicious Activity Report (SAR) with FinCEN, or the equivalent organization in the relevant jurisdiction. SARs are mandatory in these scenarios, and must be filed with the appropriate body within 30 days of the suspicious activity occurring. This means that as your business grows, you’ll eventually need an automated transaction monitoring system to keep up with suspicious activity and file SARs in a timely manner — it’s virtually impossible that any cryptocurrency business with substantial transaction and a functioning compliance policy volume wouldn’t be filing a large number of SARs.
Compliance isn’t easy. But if you invest in your team, arm yourself with the right tools, and complete the steps outlined above, you should be able to keep yourself in good standing with financial regulators and build a safe cryptocurrency platform for your users.
Security for cryptocurrency businesses
Security is just as important as compliance when it comes to building a safe cryptocurrency business. When they aren’t properly secured, digital asset transactions can be extremely vulnerable to cyberattacks and other threats. In fact, over $15 billion in digital assets has been stolen in the past 8 years in crypto exchange hacks.
However, if you account for the main attack vectors that hackers tend to compromise, the transaction process is significantly safer. These attack vectors include:
- private keys
- deposit addresses
- API keys
We’ll explore all three in greater detail below.
Hackers and other malicious actors (such as internal colluders) may attempt to compromise a victim’s private keys in order to access their wallet, which controls the funds they have stored on the blockchain. This enables the attacker to transfer the funds from the victim’s wallet to anywhere – i.e. into their own wallet. One recent example of this is the Cryptopia hack of January 2019, in which professional hackers stole $16 million by compromising Cryptopia’s wallet system.
Some of the ways in which private keys have been compromised before include:
- Infecting a server with malware that steals the private key.
- Stealing an HSM (hardware security module) authentication token and forcing the HSM to sign a withdrawal transaction.
- An authorized internal employee steals the private key.
Today, institutions in the digital asset space are securing private keys using MPC (multi-party computation). MPC represents a powerful next step in private key security, and it’s even more effective if it’s secured in hardware (i.e. Intel SGX, a chip-level hardware isolation enclave) and across multiple cloud providers.
MPC is a strong wallet solution because it offers immediate access to digital assets while retaining the highest level of security. The fundamental capabilities of MPC eliminate the single point of compromise of the private key, rendering it into a “liquid” form where each user has their own private share. At the same time, MPC’s distributed nature allows team members to require multiple authorizers for a transaction and sign transactions without being in the same location.
A deposit address is a long alphanumeric string that designates the public address of a wallet. To transfer funds to a counterparty, it’s necessary for both parties to exchange deposit addresses. Hackers target this deposit address exchange process at a number of points along the way. They compromise deposit addresses through:
- Fraudulent Chrome web extensions that hijack the web browser (man-in-the-browser).
- Spoofing the address while copy and pasting between the web browser and the wallet’s app.
- Intercepting and modifying the deposit address while it’s being sent between counterparties on a messaging service (i.e. Telegram).
- Hijacking code on the exchange’s website to spoof the address at the origin – such as the gate.io exchange hack that relied on a code breach of the web service StatCounter.
- Malware that hijacks the wallet interface, driver, or counterparty’s computer.
In one prominent attack, hackers stole $140,000 in BTC through a man-in-the-middle attack that morphed copied & pasted deposit addresses into ones of the hackers’ choosing.
A number of methods have been utilized to mitigate the threat of deposit address compromise. Some of the most common methods for securing deposit addresses include test transfers, whitelisting, and hardware wallets.
Today, solutions like Fireblocks Asset Transfer Network have taken deposit address issues out of the equation by automating address authentication, rotation, and management. Test transfers and whitelisting are no longer necessary for institutions on this network.
Exchanges and liquidity providers often have users utilize API keys for automated access to their platforms. These credentials are vulnerable to traditional forms of malware such as keylogging and phishing. API keys stored in trading software can also be stolen if the server or code repository is compromised.
One of the most prominent examples of an attack based on compromised API keys was the Binance exchange hack (May 2019). Hackers used phishing and viruses to obtain a large number of two-factor authentication codes and API keys. They made off with 7,074 BTC – worth more than $40 million on the day of the attack – in just one transaction.
In general, once a hacker obtains API keys, it’s possible for them to:
- Instruct unauthorized withdrawal of funds from an exchange.
- Manipulate the market using pre-funded assets on a compromised account.
Today, institutions use a variety of methods to protect API secrets, including chip-level hardware isolation. The unique security properties of chip-level hardware enclaves guarantee confidentiality and execution integrity. This prevents hackers and solutions providers from accessing keys or spoofing the authenticity of deposit addresses to where funds are transferred.
It’s best to treat API keys similarly to private keys by splitting them up into MPC shares in addition to securing them in hardware. Recent developments in API security include the HMAC-MPC algorithm, which applies MPC to API key secret credentials – effectively enabling customers to access exchanges with distributed API keys and removing the single point of compromise.
If left unchecked, private keys, deposit addresses, and API keys can lead to serious security issues – including cyberattacks by hackers or even internal security breaches. But it’s absolutely possible to secure all three if a defense-in-depth approach (in which all attack vectors are mitigated through multiple layers of software and hardware security) is taken.
The next step for cryptocurrency
Cryptocurrency continues to gain traction, and appears poised to become a mainstream investment asset and medium of exchange. But for that to happen, we in the industry need to make sure cryptocurrency has consumer protection measures and compliance processes comparable to what users are accustomed to getting when dealing in fiat currencies. By following the steps we outline in this guide, cryptocurrency businesses can achieve the necessary levels of security and compliance for their current users, and pave the way for continued adoption by new ones.
Fireblocks acts as an additional security layer for transfers between custodial cryptocurrency platforms, accepting or rejecting transactions based on rules your compliance team sets. When you integrate Fireblocks with Chainalysis, you can incorporate Chainalysis real-time risk scoring into the process, and automatically flag or even halt transfers that involve addresses associated with criminal activity or otherwise trigger compliance action. All transactions are logged in a central repository with any risky characteristics highlighted, which makes it easy to fulfill your compliance obligations around recordkeeping and reporting suspicious activity to relevant regulators.