Most recent

Managing the Intersection of Cryptocurrency and Compliance

By Tom Skeen

Cryptocurrency startups are still all the rage these days, but many of these companies have had a "break rules first, settle lawsuits later" approach to operating. Those days are over. How can cryptocurrency startups navigate a world where every major regulatory agency has begun to crack down?

Is “Know Your Customer” Regulation a Cryptocurrency Achilles’ Heel?

Here’s just one example of how regulators can make it difficult for cryptocurrencies to do business – Know Your Customer (KYC). Know Your Customer is regulation designed to make sure that banks have a reasonable idea of who their customer is when they use their services. It’s designed as a defense against money laundering. Cryptocurrency, however, is designed explicitly to defeat KYC – ideally, it’s a completely anonymous method of using and holding money.

There are some solutions that make KYC possible without breaking the concept of cryptocurrency, but some of them are a bit of a kluge. For example, although Bitcoin doesn’t store user identification within its ledger, a Bitcoin merchant may require users to register with their name, email, phone number, etc. before purchasing digital currency. This lets them satisfy KYC while still keeping Bitcoin technically anonymous, but this approach leads to further difficulties.

By keeping a record of their customers outside of the Bitcoin ledger itself, merchants are creating a data store of customer information that’s very tempting for potential attackers. What’s more? When cryptocurrency customers’ information is stolen, attackers don’t just have their information – they have their Bitcoin as well. A single attack on a South Korean Bitcoin exchange known as Coinrail didn’t just result in loss of funds – the entire market moved, losing $42 billion of value in just one hour.

To be sure, it isn’t Bitcoin itself that’s deficient in terms of security – it’s the cryptocurrency exchanges themselves. Not only do they lose when it comes to civil regulations such as KYC, they also lose when it comes to stringent regimes such as PCI-DSS.

Other Compliance Issues May Hamstring Bitcoin Merchants

It seems that in attempting to scale rapidly, Bitcoin merchants and other cryptocurrency vendors have neglected to invest properly in information security. Instead of building a native capability for cybersecurity or compliance, they’ve either outsourced it to nebulous third parties or ignored it altogether. Here’s an example:

Once your money is in a Bitcoin wallet, it’s theoretically secure and cannot be stolen. Bitcoin merchants still need some way of converting your old-fashioned fiat currency into Bitcoin, however. This means processing credit card transactions, which means becoming compliant with PCI-DSS. Are any Bitcoin exchanges PCI-compliant?

It’s hard to prove a negative, but let’s look at one of the biggest Bitcoin exchanges, Coinbase, as an example. Coinbase is a genuine unicorn, with a $1 billion valuation – but it’s not PCI-compliant. Instead, it uses an unnamed external payment processor, which it claims is PCI-compliant. While this isn’t a compliance violation, there’s no way for us to know if Coinbase is using a processor that’s genuinely PCI-certified. In this, Coinbase is the norm, not the exception.

Given that a widespread lack of trust in various cryptocurrency exchanges has delivered a series of shocks to the overall market, it’s not unreasonable to call for change. Instead of exporting the business of compliance to unnamed third parties, cryptocurrency exchanges need to become verifiably secure – and fast. How can that happen?

Safe-T Offers Turnkey Compliance for Companies in Startup Mode

Cryptocurrency exchanges are often in permanent startup mode, and many startups believe that strict compliance is inimical to success – it slows down companies that are trying to move fast and break things. That’s where Safe-T can help. Safe-T is compliance that moves at startup speed. In just a short amount of time, we can impose order on your mission-critical data, create easy-to-use administrative controls, and prevent attacks – all of the bullet points that most major regulatory regimes will require. With Safe-T, you can move fast, stay compliant, and keep your customers’ trust – all at the same time.

Want more information? Sign up for a free trial today!

GDPR Compliance
All posts

Get Email Updates

Sign up for our monthly newsletter and latest blog posts....keep up to date on the latest security data news!