Can you KYC with a VPN? Crypto exchange controls scrutinized by attorney general report
October 4th, 2018
The New York Attorney General (“NYAG”) recently issued a report on its fact-finding enquiries to multiple virtual currency trading platforms believed to be operating in New York. One of its many interesting findings was how virtual private networks (“VPNs”) may permit market manipulation. VPNs are a critical tool for privacy-minded cryptocurrency traders, as well as the only method for some traders to access these markets in countries such as China. Based on the NYAG’s report, should cryptoexchanges assume that VPN access is no longer permissible?
The NYAG’s focus on VPNs was in the context of the effectiveness of access controls to ensure fairness and integrity and protect customers. Access controls start with basic Know Your Customer (“KYC”) processes to confirm a new customer’s identity. While eight of the trading platforms which responded to the enquiry required customers to submit various forms of personal information and government-issued identification before trading, Bitfinex requires little more than an email address to trade between exchanges (as opposed to withdrawing/depositing fiat currency). Tidex, which states that it prohibits users from the United States and is currently filing with FinCEN to become a money services business, requires only a name, email address and phone number.
A common additional access control for online businesses is to monitor IP addresses of users to determine the approximate geographic location of users and track suspicious behavior coming from a particular computer connection. For example, transactions in multiple accounts coming from one IP address may be suspicious. Simultaneous access from IP addresses which are not in proximity could be a sign of fraud or a cyberattack.
IP addresses can also be masked using VPNs which route connectivity through a third-party network. This permits an individual to feign residency in a different jurisdiction or open several accounts and pretend that they are not related. Companies which block VPN access, such as Netflix and Hulu, most likely are screening access against a known list of VPN servers. These controls are not fool-proof since VPN services often change server IP addresses to stay one step ahead (as those using VPN to access Facebook from China can validate).
While most of the exchanges that responded to the NYAG reported that they monitor access by IP address, only two claimed to limit VPN access. The two exchanges, Bitstamp and Poloniex, have both withdrawn from jurisdictions such as New York due to regulatory issues.
In addition to making sure that IP addresses from New York are not provided access to unauthorized exchanges, the NYAG raised concern that cryptoexchanges which neither require documentation to execute a trade nor takes active measures to block access via VPN may not be able to address manipulative or abusive trading activity. For example, one individual may open up two accounts and engage in wash trades. Wash trades occur when traders buy and sell the same asset repeatedly to create the false appearance of market activity in order to move prices.
Unfortunately wash trades are believed to be common in crypto markets because exchanges are ranked based on trading volume. One report estimates over 7 of the top 10 exchanges engage in excessive wash trading from 12x to over 100x their true volume, and one is believed to inflate their trading 4400x.
VPN access can also pose risks from an anti-money laundering perspective. Virtual currency exchangers have been subject to the Bank Secrecy Act’s anti-money laundering requirements since as early as 2011. Failure to comply with KYC requirements can result in large penalties, such as the $700,000 fine assessed by FinCEN against Ripple Labs in 2015. OFAC has also stated that it will treat digital currencies the same as fiat currencies, and sanctions violations carry strict liability which does not require intent to violate the law to be proven.
FinCEN has been focused on IP addresses mentioned in suspicious activity reports for many years. In 2014 they reported that an investigation of IP addresses mentioned in SARs found 975 hits for possible Tor network addresses, corresponding to reports totaling nearly $24 million in likely fraudulent activity.
However, before the advent of cryptocurrencies it was deemed unlikely that FinCEN would expect the filing of a SAR just because of the use of different VPN addresses. It will be interesting to see if the purely online nature of cryptocurrencies, and perhaps the growth of digital banks, will heighten FinCEN’s scrutiny of VPNs.
As of today the NYAG report ostensibly is only a platform to educate the public and provide a number of questions that consumers should ask to protect themselves when considering various exchanges. However, they also mentioned that they referred three of the four exchanges which failed to respond to the enquiry, Binance, Gate.io, and Kraken, to the NY Department of Financial Services for potential violation of New York’s virtual currency regulations. It would not be surprising if one of these or other non-licensed entities are soon asked by the NYDFS to explain their VPN access policies.