Crypto Exchanges and Wallet Providers: The current state of KYC verification and AML regulation

The Cryptocurrency KYC verification process for Exchanges and Wallet Providers could soon see some fundamental changes. European authorities heatedly discuss the question of if and how new AML regulation for Bitcoin and other Cryptocurrencies should be adopted or existing rules ought to be amended to fit the bill.

The EU under pressure

Following a number of statements from national authorities and its representatives like the Governor of the Banque de France that warned against the speculation and the abuse of Bitcoin and others, the pressure had increased on the European Union to introduce rules in respect of Anti-Money Laundering (AML) and Combating the Financing of Terrorism (CFT) that would extend to cryptocurrencies. Even when the UK Treasury announced its plans to crack down on Bitcoin and other digital currencies because of the growing concerns that they are being employed for money laundering and tax evasion, it was hardly news though despite the waves such statements make. The EU has been well aware of the need to address the issue of cryptocurrencies and AML regulations for a while and eventually at the end of last week, its institutions agreed to implement stricter rules on exchange platforms that deal with virtual currencies in a measure that is part of an effort to prevent terrorist financing and money laundering. The new measures would require exchanges and wallet providers that previously allowed users to remain anonymous to identify them. The new rules will also limit the use of pre-paid payment cards, raise transparency requirements for company and trust owners, allow national investigators more access to information, including national bank account registers, and grant access to data on the beneficiaries of trusts to “persons who can demonstrate a legitimate interest”.

The EU has been moving painfully slow on the matter and its decision doesn’t mean that the matter will be resolved immediately neither. The EU’s member states need to adopt the rules formally and transfer them into their national laws within the next 18 months.

No checks so far? Really?

While this may sound that wallet providers and exchanges do close to nothing to monitor its clients, it isn’t quite correct though. Anyone that has ever used either knows that as part of the registration process personal information needs to be provided, contact details like phone numbers and email address are verified, and other measures depending on the respective provider are taken. Naturally, these vary from exchange to exchange and wallet provider to wallet provider, but in many cases, the initial signup is fairly easy, but comes with dealing or withdrawal restrictions that are only lifted . We already published a user experience on the opening of an account and respective verification earlier this year with cryptocurrency payment provider Bitwala. As described in the post and exemplarily for other firms, while the initial sign up is a question of seconds, the approval of enhanced features including moving significant amounts can be a little bit more burden some and require a substantial amount of time (in terms of waiting for documentation review or video call scheduling as measures for enhanced due diligence, for instance).

What if something goes wrong though?

While the Bitwala experience went rather smoothly back in the day, other providers struggle heavily, especially in light of the increasing popularity of their services of late. And here lies the problem: while many of these firms do not hold the necessary resources and expertise in house, they rely heavily on outsourcing and/or automated services. Victims of their own success, they out of sudden need more resources to approve accounts and clients and they need them quickly. In addition, the crux of many automated solutions is that they manage to address the basic approval processes, the slightest abnormality forces them into manual review, which they are often ill-prepared for. Bittrex, one of the ten biggest exchanges by volume for example, is known to have major problems with their verification process. Since they seem unable to deal with the amount growth, Bittrex representatives state that they “are experiencing a longer than normal wait time resolving customer requests”. The normal wait time is specified as one week on their website, but the numerous accounts of customers voicing their anger on message boards across the crypto community (e.g. simply google “Bittrex verification issues” to find clients accuse the company of stealing their money or suspecting it to be a massive Ponzi scheme), points to weeks and months of wait, while the money is locked up and can’t be moved out.

Not an isolated case

In all fairness it should be said that the results are not flattering for other cryptocurrency exchanges and wallet providers we have tested either. It’s also a good thing that these firms do not simply throw all caution over board as there is good reason to try as much as possible to prevent cryptocurrencies being used for money laundering as it has been in many cases in the past. The fact that many exchanges and wallet providers seem to choose a rough-and-ready approach over solid and responsible business and product development shows the shortcomings of the industry, which in some cases borders on negligence or even fraud.

What next?

Customers are often left with nothing else but trying to let of steam on forums or writing angry messages to the companies, which seldom seem to have an impact. Eventually the providers will come around and deal with the backlog, but the fact that they are struggling mightily already, raises serious concerns in at least two ways:

First, once the regulatory situation is clarified and market participants will need to comply with the same or similar rules as traditional financial institutions, the pressure on the resources of cryptocurrency exchanges and wallet providers will only increase further and quite significantly though. Based on current results, the outlook for things to come is not too bright at all and regulators are not going to sit idly by once they have the legal obligation to act.

The second aspect could potentially harm the crypto industry even more. Regulatory action often happens only once the damage is already done and considering the drive of these crypto start-ups to keep costs low and resources to the necessary, the question is how well the sensitive customer data they receive is protected. Exchanges are already prone to attacks from hackers to withdraw the funds of clients, but there is also significant value to the information exchanges and wallet providers hold on clients. While traditional financial organisations are not exempt from data breaches, they at least are subject to regulatory scrutiny, so that the idea of massive data breaches amongst unregulated institutions cannot be ignored and it rather looks like a nightmare before Christmas in the making.