Crypto Exchanges Should Take a Hard Look at IP Address-Masking Services
Richard Malish is General Counsel at NICE Actimize where he counsels on global anti-money laundering, fraud, trading compliance and banking regulatory matters.
The New York Attorney General (“NY AG”) recently issued a report on its fact-finding enquiries to multiple virtual currency trading platforms believed to be operating in New York. One of its many interesting findings was how virtual private networks (“VPNs”) may permit market manipulation.
VPNs are a critical tool for privacy-minded cryptocurrency traders, as well as the only method for some traders to access these markets in countries such as China. Based on the NY AG’s report, should crypto exchanges assume that VPN access is no longer permissible?
Not necessarily, but they need to look at the issue in the broader context of their overall compliance program.
Stepping back, the NY AG’s focus on VPNs was in the context of the effectiveness of access controls to ensure fairness and integrity and protect customers. Access controls start with basic Know Your Customer (“KYC”) processes to confirm a new customer’s identity.
While eight of the trading platforms which responded to the enquiry required customers to submit various forms of personal information and government-issued identification before trading, Bitfinex requires little more than an email address to trade between exchanges (as opposed to withdrawing/depositing fiat currency). Tidex, which states that it prohibits users from the United States and is currently filing with the Financial Crimes Enforcement Network (FinCEN) to become a money services business, requires only a name, email address and phone number.
A common additional access control for online businesses is to monitor IP addresses of users to determine their approximate geographic location and track suspicious behavior coming from a particular computer connection. For example, transactions in multiple accounts coming from one IP address may be suspicious. Simultaneous access from IP addresses which are not in proximity could be a sign of fraud or a cyberattack.
IP addresses can also be masked using VPNs which route connectivity through a third-party network. This permits an individual to feign residency in a different jurisdiction or open several accounts and pretend that they are not related. Companies which block VPN access, such as Netflix and Hulu, most likely are screening access against a known list of VPN servers. These controls are not fool-proof since VPN services often change server IP addresses to stay one step ahead (as those using VPN to access Facebook or crypto exchanges from China, where unlicensed VPNs are illegal, can validate).
While most of the exchanges that responded to the NY AG reported that they monitor access by IP address, only two claimed to limit VPN access. The two exchanges, Bitstamp and Poloniex (now a part of Circle), have both withdrawn from various jurisdictions due to regulatory issues.
In addition to making sure that IP addresses from New York are not provided access to unauthorized exchanges, the NY AG raised concern that crypto exchanges which neither require documentation to execute a trade nor take active measures to block access via VPN may not be able to address manipulative or abusive trading activity.
For example, one individual may open up two accounts and engage in wash trades, which occur when traders buy and sell the same asset repeatedly to create the false appearance of market activity to move prices.
Unfortunately, wash trades are believed to be common in crypto markets because exchanges are ranked based on trading volume.
One report estimates over 7 of the top 10 exchanges engage in excessive wash trading from 12x to over 100x their true volume, and one is believed to inflate its trading 4,400x.
VPN access can also pose risks from an anti-money laundering perspective. Virtual currency exchangers have been subject to the Bank Secrecy Act’s anti-money laundering requirements since as early as 2011. Failure to comply with KYC requirements can result in large penalties, such as the $700,000 fine assessed by FinCEN against Ripple Labs in 2015.
The Office of Foreign Assets Control (OFAC) has also stated that it will treat digital currencies the same as fiat currencies, and sanctions violations carry strict liability which does not require intent to violate the law to be proven.
FinCEN has been focused on IP addresses mentioned in suspicious activity reports (SARs) for many years. In 2014 the agency reported that an investigation of IP addresses mentioned in SARs found 975 hits for possible Tor network addresses, corresponding to reports totaling nearly $24 million in likely fraudulent activity.
However, before the advent of cryptocurrencies, it was unlikely that FinCEN would expect the filing of a SAR just because of the use of different VPN addresses. Some banks have restricted VPN access to websites, but policies differ between firms.
New rules unlikely, but…
It will be interesting to see if the purely online nature of cryptocurrencies, and perhaps the growth of digital banks, will result in heightened U.S. regulatory scrutiny of VPNs. It appears unlikely that prescriptive federal VPN rules will be passed any time soon given the conservative approach taken by regulators such as the Securities and Exchange Commission (SEC) and Commodity Futures Trading Commission (CFTC) on more fundamental issues related to cryptocurrency.
As of today the NY AG report ostensibly is only a platform to educate the public and provide a number of questions that consumers should ask to protect themselves when considering various exchanges. Although three of the four exchanges which failed to respond to the inquiry, Binance, Gate.io, and Kraken, were reported to the New York State Department of Financial Services (DFS) for potential violation of the state’s virtual currency regulations, it is unclear whether the NY AG report will encourage the DFS or other regulators to force digital currency exchanges to prohibit VPNs.
Rather, cryptocurrency exchanges will most likely be forced to reckon with VPN access as part of any regulatory or law enforcement actions for market manipulation, which could come any day. The DFS in February 2018 already reminded virtual currency businesses to implement measures to deter market manipulation.
And the U.S. Department of Justice (DOJ) has reportedly been working with the CFTC on a criminal probe of possible market manipulation in crypto markets since at least the summer. The CFTC proved that it takes market manipulation related to cryptocurrency seriously as early as 2015 when it settled wash trade charges against TeraExchange for the fairly innocuous offense of reporting one test bitcoin swap transaction as a real transaction.
Cryptocurrency exchanges operating in the U.S. or doing business with customers in the U.S. should promptly review their policies for verifying and monitoring authorized access.
If your business desires to continue to permit masked VPN addresses, the decision should be made in consideration of other controls and the damage that market manipulation or anti-money laundering charges would have on your firm’s business. For example, facial recognition access controls might be considered as an alternative method to prevent one person trading across several accounts.
However, if your exchange currently permits users to open multiple accounts, has no market manipulation policy or is actively encouraging market manipulation to increase your market cap rankings, VPN may only be a footnote in your eventual enforcement action.
Mask image via Shutterstock