Compliance and AML Practices: An Open Letter to Cryptocurrency Exchanges and Services

by | Sep 28, 2021 | AML, compliance, money laundering, ransomware

This past week, the US government took action for the first time to sanction a foreign cryptocurrency exchange, Suex, in an effort to stem the tide against ransomware and cybercrime. This enforcement action puts Suex in the same category as suspected terrorists. Thus, the consequences for cryptocurrency exchanges for facilitating transactions for these types of actors, especially after an enforcement action like this, can be severe. 

The US government finally appears to be taking more serious action against cryptocurrency exchanges, including foreign exchanges that facilitate illicit transactions. This begs a variety of questions that are ultimately related to what compliance and anti-money laundering measures exchanges need to adhere to be compliant. The reality is that in 2021, many of these measures (such as proper utilization of a blockchain analysis/transaction monitoring tool) are no longer in their nascency and, in fact, are considered industry norms and have been for years.

In CipherBlade’s opinion, Suex is only the tip of the iceberg. While we are familiar with Suex (having come across them in our investigations multiple times before), there are many other services out there that are just as bad, and many others that are not so far off.

What is Suex and What Did They Do?

Suex is a cryptocurrency OTC broker legally registered in the Czech Republic. However, it has no physical presence there. They instead operate out of a variety of other locations. Suex offers cryptocurrency exchanging services. Whether or not one calls them a ‘cryptocurrency exchange’ is a matter of semantics. The US Treasury has referred to them as a ‘virtual currency exchange.’ Suex was found to be facilitating a very large portion of illicit transactions, including for ransomware actors especially. The US government elected to implement sanctions on them due to the large percentage of illicit activity they facilitated for their own financial gain. It’s conceivable that Suex may have been continuously uncooperative with law enforcement in these examples, which wouldn’t surprise us given our own history and knowledge of them.

‘Nested Services’ and Rogue OTCs

Before going further, it’s first important to distinguish between two types of exchanges/services. First, there are the standard cryptocurrency exchanges. Think Coinbase, Binance, Kraken, Bitfinex, Huobi etc. 

Secondly, there’s another category that can be described as a combination of ‘rogue OTCs’ and ‘nested services.’ A ‘nested service’ can be considered a service (or exchange) operating within or on top of another larger exchange and largely uses that exchange for liquidity. These services are absolutely operating a business, and often a money services business (MSB). They may or may not refer to themselves as an ‘exchange.’ Suex specifically fits into this second category

It is increasingly common to see large portions of funds go to or to otherwise be laundered through these types of lesser-known nested services & OTCs rather than traditional cryptocurrency exchange accounts with major exchanges. What’s crucial to understand is that nested services all utilize a major exchange (or exchanges) for liquidity. Some of these rogue OTCs and nested services (of which there are many more than traditional exchanges) are less than compliant, to put it mildly. While an exchange may perform standard Source of Wealth checks in order to satisfy regulatory requirements, there has been a trend of exchanges seemingly turning a blind eye to their nested services, expecting them to have equivalent compliance measures yet providing little to no oversight on such measures.

Many willfully facilitate illicit transactions as Suex has. Many others turn a blind eye to illicit activity. Most have grossly inadequate compliance policies. Some don’t have a compliance policy at all, even if they list one on their website as Suex has done, which is often boilerplate phrasing and compliance theatre. Some others aren’t responsive to notifications of illicit activity or information requests from law enforcement or subpoenas. While nested services are finally becoming a hot topic, these issues are far from new. MorphToken took a similarly problematic stance and has been down for months now.

There are undoubtedly a decent number of nested services and OTCs who genuinely strive to be compliant; they aren’t really at issue. What is at issue are non-compliant services, but also the exchanges and services that effectively allow non-compliant services to operate, facilitating transactions for these services who are conducting these transactions for ransomware actors.

The Concerns

This has some cryptocurrency exchanges concerned about just what obligations they have as a money services business (MSB) to be compliant. Not all exchanges want to be compliant though (and those that don’t will never admit it, and are increasingly becoming experts at compliance theatre). For exchanges that genuinely want to be compliant, we thought it would be helpful to describe some core obligations and responsibilities that exchanges have in general as MSBs and the steps they ought to be taking to minimize money laundering and illicit transactions on their exchange.

Baseline AML Fundamentals for Cryptocurrency Exchanges

Due to jurisdictional reasons and vague or unclear AML policies in various jurisdictions, what may be compliant in one jurisdiction may not be considered compliant in another. However, we think it’s fair to say that there are some baseline AML fundamentals that exchanges need to adhere to regardless of jurisdiction, and certainly are things we observe as industry norms.

Having an Actual Compliance Policy

It’s a bit sad that this one actually needs to be mentioned, but there are a few exchanges and services out there that don’t even bother drawing up a compliance policy since they really couldn’t care less about facilitating illicit activity, so they don’t even bother taking the time to draw it up. The actual content of the compliance policy is something we’ll discuss later on, but it’s fair to say the particulars could reasonably vary based on jurisdiction, types of transactions facilitated, and other factors.

Adhering to Said Compliance Policy

It’s very easy to draw up a compliance policy. But just because an exchange draws up a compliance policy doesn’t mean they even bother to adhere to their own policy. Almost every exchange, including exchanges that facilitate a large amount of illicit volume similar to Suex will claim to have a comprehensive compliance and Anti-money laundering (AML) program. As we’ll see, just because an exchange claims to be compliant doesn’t make it true.

Being Responsive to Law Enforcement Information Requests and Subpoenas

A compliant exchange needs to offer a way for law enforcement to get in contact with them, and the exchange needs to respond to law enforcement and respond in a cooperative manner (and not telling law enforcement to figuratively get lost). Just as with other businesses, exchanges have the right to decline to provide law enforcement with personal information without first being served with a subpoena.

There’s some degree of debate as to what pieces of information would constitute ‘personal information’ and what pieces of information would not (which could also vary to some degree based on the jurisdiction). The purpose of this article is not to get into a debate about what is or ought to be personal information, and what is not. The bottom line is to be responsive to law enforcement requests when they are relevant and proportionate. There are many ways that an exchange can be helpful to law enforcement in a way that doesn’t reveal a user’s personal information at all.

Having a Real Compliance Team or Staff

Does the exchange have real compliance staff tasked with ensuring the exchange’s compliance policy is adhered to? Are these staff monitoring for suspicious activity in any way? Or is the exchange designating a generic support agent who knows nothing about compliance to deal with matters of compliance? Furthermore, are employees properly trained and empowered to take whatever actions they need to minimize suspicious activity. For example, if an employee needs permission from an executive to take a fairly basic measure, that’s not exactly effective.

Being Responsive and Taking Internal Action When Discovering or being Presented with Credible Indications of Illicit Activity

Does the exchange do anything when illicit activity is discovered? All too often, the answer from many of the shady exchanges and services out there is to do nothing. Sometimes that involves ignoring and information received from applicable parties (including law enforcement). Sometimes that involves responding in a largely dismissive way and continuing to carry on just as things were before. Sometimes it involves lying and claiming to take immediate action, while in reality, doing little to nothing at all.

Also, cryptocurrency exchanges operate 24/7. If it takes an exchange 3-4 business days to action a high volume of illicit activity that has been uncovered, that’s not a good look at all. It’s important to be responsive, which will entail having an adequately staffed compliance team.

There are some exchanges, such as Suex, that will refuse to participate in industry organizations such as Crypto Defender’s Alliance, refuse to take action when presented irrefutable evidence their platforms are being actively utilized to launder funds, and effectively will only take any action if legally compelled to do so, if that. In essence, these exchanges like to pretend governments determine compliance actions, which is, obviously, simply not how this works. If an exchange is provided irrefutable evidence of suspicious activity, regulatory requirements in almost every jurisdiction dictate that exchange must take appropriate measures.

Monitoring Accounts for Suspicious Activity and Utilizing Tools to Detect Suspicious Activity

How would an exchange know that illicit funds are being sent to their exchange, say from a ransomware attack? There are really only three conceivable ways.

  1. The exchange is informed by another party (could be law enforcement, but also a third party like CipherBlade) that illicit funds deriving from a ransomware attack are being sent to them. Given the speed at which cryptocurrency can be laundered, time is most certainly of the essence, hence why the aforementioned point of being responsive is important.
  2. It’s publicly available information, i.e., mentioned in the news, and the software provider catches up on it and attributes it as such. This option is normally viable since not all financial losses caused by cybercrime are worthy of a news story. Most Defi rugpulls make it to the news, but the vast majority of ransomware payments don’t make it to the press for various reasons.
  3. The exchange uses transaction monitoring software, also known as KYT software, to detect when funds deriving from a ransomware attack are being sent to their service, which can, in turn, flag the suspicious accounts for further review. There are many different transaction monitoring software platforms out there. Most are garbage in our opinion. And the few good ones aren’t cheap. Some companies merely buy a cheap tool, assign it to an inexperienced user, and leave it on default settings. Simply having a compliance tool makes an exchange no more compliant than being in a garage makes you a car. None of these concepts (appropriate resource allocation to compliance) are novel to cryptocurrencies.

One obvious question is how the transaction monitoring software knows that a given address might be funds received from a ransomware attack to begin with? The answer, in this case, is relatively simple — if it’s reported as such to that service by a credible party. This process is known as ‘attribution.’

As you can probably imagine, credible parties (like CipherBlade) don’t go emailing 100 different software providers when notifying them about ransomware funds. Often it’s only reported to a select few parties, maybe 1-3, and specifically the few ‘major’ well-known ones. Ergo, most transaction monitoring software platforms have relatively poor attribution and since the software is only as good as the attribution it has, most transaction monitoring software performs extremely poorly, comparatively speaking, to the best software available. 

Exchanges that want to be compliant need to be utilizing well-known KYT software and need to be doing so effectively. While there are plenty of KYT software options available on the market, some of which are better than others, our independent opinion is that Chainalysis and Elliptic have by far the best solutions available for exchanges in this regard.

Making a Genuine Effort not to Facilitate Illicit Activity

A more subjective factor is whether or not an exchange is making a genuine effort not to facilitate illicit activity. Are they really trying or are they turning a blind eye? Are they pretending to care but in reality, it’s just a facade for them to save face and continue to facilitate dirty volume to capture more profit? Do they have common-sense standards? Do they have sufficient compliance personnel able to review indications of suspicious activity on a remotely timely basis? There are presently minimal incentives for compliance, while there are far more incentives for non-compliance while feigning compliance. Take, for example, the current state of Bitcoin ATM operators, where there are only a handful of truly compliant ATM operators and the majority of ATM operators have the majority of their outbound Bitcoin sent to scams.

Ultimately, it can be profitable for an exchange to facilitate illicit activity. They receive fees associated with the illicit volume. They get more volume on their exchange in general (which helps them acquire other customers). They have fewer expenses associated with having fewer or no compliance expenses (e.g., labour and tools). Having a compliance program necessarily entails some degree of added costs.

Indicators of Suspicious Behaviour

A compliant business should be monitoring for suspicious activity and money laundering on their exchange. People who work in compliance know the basic things to be looking for. Among them include structuring, layering, and usage of multiple accounts — most of these things aren’t new. There are a variety of other things to be looking for as well, but the purpose of this article is not to provide an exhaustive list of the various factors and policies worth considering.

Ultimately, these types of indicators and flags should be stipulated more conclusively in an exchange’s internal compliance policy. It shouldn’t be disclosed for obvious reasons. Otherwise, an illicit actor may know what actions an exchange does (or doesn’t) take and may gain a better idea of how to subvert them.

Know Your Customer (KYC)

Not all exchanges conduct KYC verification on all their customers. This is not inherently problematic. While some exchanges may feel they are required to do so in all instances, others don’t feel that way. In CipherBlade’s opinion, conducting KYC on all users isn’t an inherent requirement for an exchange to be compliant in general (some jurisdictions may have a blanket requirement though). There are plenty of other facets to compliance apart from conducting KYC. There are individuals who simply prefer to avoid the use of services that require KYC for a variety of different reasons, including privacy, even when they’ve done nothing wrong.

There are certainly instances where exchanges ought to be conducting KYC on a user. Typical factors that an exchange should weigh include jurisdiction, transaction volume, trading volume, withdrawal volume, and how robust the rest of their compliance policy is.

There may also be situations where it becomes more important to conduct KYC when certain factors are met, in accordance with a Risk-Based Approach.

The bottom line is that KYC only forms a small part of an overall compliance program. Having KYC is not, by itself, an indicator of an exchange or service being compliant, even if it’s mandatory on all accounts.

And by the way, if you’re going to have users go through KYC, make sure your KYC process isn’t a complete joke. If you’re actually conducting KYC on applicable users, Borat and Taylor Swift outfits, combined with obvious fake IDs, shouldn’t be able to get past your ‘comprehensive KYC process.’

A Risk-Based Approach (RBA)

The solution, as most compliance professionals are aware, is a risk-based approach. Suspicious activity isn’t always black or white. It can often be grey. We aren’t going to go into detail here about just what activities exchanges should consider more suspicious or risky, but assessing risk is an inherent role of any real compliance team. It’s their job to identify risky or suspicious behaviour, and in some cases conduct manual reviews or assessments.

Scams, Frauds, and Money Muling

In many jurisdictions, compliance can involve taking various measures to mitigate the number of scam victims, fraud victims, and money muling that may occur through their service.

Scams and frauds involving cryptocurrency aren’t going away anytime soon. There’s also no possible way that exchanges can take to prevent an individual scam victim from sending funds to scammers. But there are some things that can be done especially by ‘fiat on-ramps’ to mitigate the amount of fraud that’s occurring, and especially for new users of cryptocurrency that are  more likely to be scammed than a ‘veteran.’ This includes things like providing warnings to users about scams and frauds, and providing them with education on these types of frauds. And detecting when users may be at a higher risk of being defrauded; how many 55-year old women do you know that invest in cryptocurrency for example?

The issue is that many individuals simply ignore it and fail to educate themselves, even when it’s in front of their face. All too often, when people come to us after a classic giveaway scam, they say something along the lines of ‘I can’t believe I was so stupid!’ Unfortunately, education can’t help everyone. 

The reality is the vast majority of exchanges and services are already doing a pretty good job in our opinion to help prevent this type of fraud. Even with scams being as bad and as frequent as they are, scams would be far more frequent and numerous if not for the compliance policies of many compliant exchanges out there. The reality is the vast majority of Coinbase customers successfully use Coinbase without getting scammed and sending funds directly to scammers.

We talked earlier about exchanges that profit considerably due to very high amounts of illicit funds received, and subsequently laundered, and those select exchanges elect to do little to nothing about it. There is ultimately a ‘market’ for that type of service for obvious reasons. 

Conversely, there is also a ‘market’ for depriving scam victims of their funds, as deplorable as that may sound. Many of these users (i.e. victims) are very new to cryptocurrency. Many are victims of romance fraud. Many are elderly. Many have no clue how cryptocurrency works, including the irreversible aspect of crypto transactions and its pseudonymity like the majority of people reading this article have.

Some people like to write these victims off as ‘stupid.’ Head over to /r/cryptocurrency and you’ll find plenty of people who think that if people are dumb enough to get scammed, they deserve it. This train of thought isn’t acceptable, in our opinion, and regulators in a good portion of jurisdictions impose regulations on money service businesses in an effort to mitigate the number of scam victims.

As mentioned, there are some services where a very large portion of their business involves facilitating funds from scam victims. The ATM operator CoinFlip is one such example. As you’ll see from the evidence, the majority of funds from Coinflip are going to a combination of Binance (.com, and specifically, Binance.com deposit addresses that show Bitcoin being received from multiple ATMs, essentially confirming the Binance account is held by a scammer) — where US persons can’t even hold an account and also a variety of exchanges that operate primarily or exclusively in African countries such as Nigeria.

At CipherBlade, we’ve seen exchanges with varying degrees of compliance issues. Some are naturally better than others. Scammers will typically refer a prospective victim of theirs to an easy and quick ‘on-ramp’ that may have a lacklustre compliance program to buy Bitcoin so the victim can send it to the fraudster abroad. Obviously, the more lacklustre the compliance program, the greater the likelihood that the victim will be scammed. For some services, facilitating these types of fraud transactions is a business — it results in much-needed revenue for them, for which they have no problem looking the other way, or outright denying it in the face of irrefutable evidence.

Practical Considerations

Exchanges should also bear in mind that it’s not uncommon for cybercriminals to use services that wouldn’t retain a high degree of information that would identify the cybercriminal. For example, a cybercriminal would have to be pretty dumb to send stolen funds directly to an exchange account of theirs that has gone through KYC. CipherBlade does see that in some cases, but it’s certainly not the norm. Cybercriminals generally use a variety of obfuscation techniques. The services cybercriminals may use, at least initially, are less likely to have KYC data that would identify the individual responsible. It’s possible that the exchange may have little more available of investigative value apart from the withdrawal data from the applicable account.

Law Enforcement not Qualified or Responsive to Cybercrime Victims

When developing (or updating) an internal compliance program, it’s worth considering that in many cybercrime cases involving cryptocurrency, it can be particularly challenging to receive law enforcement contact to begin with in many cases due to a plethora of reasons.

  1. Lack of knowledge, skills and expertise on the part of law enforcement.
    Many law enforcement agents, including ones that focus primarily on cybercrime, have a poor or even a non-existent understanding of blockchain technology and cryptocurrency. They may not even understand basics such as what a transaction hash is. They may have difficulty understanding and relaying the necessary information to an exchange to begin with, and are unlikely to understand the nuances of blockchain forensics.
  2. Lack of Tools.
    Many law enforcement agents lack the necessary tools (and possibly training) to use such tools like blockchain forensics software. Many law enforcement agencies have access, but access is delegated on a per-user basis, and not all users have licenses to such software.
  3. Understaffing
    Many law enforcement agencies are grossly understaffed. They don’t have sufficient personnel resources to keep up with the number of inquiries, particularly in highly technical and skilled areas like cybercrime. This leads law enforcement to only pursue select cases in many instances. As it stands, there are few law enforcement professionals with the tools and training to take on cryptocurrency investigations, and of those few, they will often feel pressure for non-cryptocurrency cases. This certainly has been noticeable in the US with how busy law enforcement has been as a result of the pandemic and insurrection.
  4. Loss size and/or willingness to pursue.
    A law enforcement agency may lack the willingness to pursue a given case for a variety of reasons. It could be because the victim is from a country where law enforcement just doesn’t care or doesn’t pursue cybercrime cases period (more likely to happen in less developed countries) or a law enforcement agency may decline to pursue if the loss isn’t high enough to warrant it (such thresholds can be quite high).

These are all factors that exchanges may wish to be cognizant of when designing or updating their compliance programs. Designing a well-built compliance program is hard work and in many cases, there’s no one correct answer or path to take.

Freezing and Seizure

Compliant exchanges will occasionally run into instances where they, for one reason or another, they detect suspicious activity. In select cases, those suspicions can be severe enough to warrant an exchange restricting or otherwise ‘freezing’ an applicable account or customer deposit pending further information, investigation, or due diligence.

When that suspicion turns out to be well-founded, and the customer was trying to ill-gotten launder funds, through the given exchange, there are a few things the exchange can expect from their customer:

  1. A common practice would be to request some details on how the customer acquired said funds in the account. The process is known as ‘source of funds’ or Source of Wealth. Often, if the suspicions are well-founded, the account owner won’t be able to or willing to offer a reasonable explanation, much less any actual evidence, detailing the source of funds.
  2. The customer account is much less likely to have gone through KYC verification, and even more importantly, they’ll typically be unwilling to go through such verification.
  3. The customer may be either completely silent or will send one or two messages in an effort to get their funds, but then will eventually ‘move on’. When a person laundering funds has an account of their frozen, often they quickly realize that funds in frozen accounts, in their case, are effectively a ‘write-off.’ A hacker sometimes won’t even bother sending customer support a message saying ‘why can’t I withdraw my funds’ — they know what happened, or if not, they tend to catch on pretty quickly. They may have a burner email address, which they eventually stop checking, hence an additional reason for low responsiveness from the prospective customer.

Since even a semi-competent hacker will ‘structure’ funds when laundering, it’s less likely that there won’t always be a 6+ figure USD balance in the account to freeze. The question an exchange’s legal team should be asking themselves is what happens to funds in such instances. Should the exchange:

  1. Request and/or insist on a seizure warrant prior to turning funds over.
  2. Insist on a formal request from law enforcement to turn funds over in lieu on #1
  3. Refuse to turn funds over all together (the big question then becomes what happens with the funds)
  4. Release funds to the customer as originally requested from them.
  5. Another solution entirely

Again, there’s no easy answer here, and the answer could certainly vary on a case-by-case basis. Many compliant exchanges elect to go with option #1; indeed, it is largely the standard, and it’s something they are in their full right to demand as well. However, it’s also worth considering the costs of obtaining a seizure warrant can be incredibly high as well; it can run well into the six figures USD in some jurisdictions. Ergo, exchanges may wish to consider other solutions in certain circumstances when more practical, particularly in cases where the evidence is clear cut or non-contentious. 

Facilitating Non-Compliant Nested Services

Some of the worst offenders that are facilitating rogue OTCs and non-compliant nested services right now include Kraken, Kucoin, and Huobi (these names do tend to change over time — and to add insult to injury these exchanges aren’t the most responsive either). The usage of a rogue OTC like Suex can be an effective workaround so that an attacker need not have an account at the applicable exchange, but ultimately it’s fair to say that the exchange is still facilitating the transaction from the ransomware attacker (it’s merely being done from the account of the rogue OTC and not the attackers account themselves). So even if the exchange has verified who their customer is (the OTC), that alone isn’t sufficient since this scheme threatens to circumvent whatever compliance measures the exchange has in place (if any). 

Exchanges still have an obligation to monitor suspicious transactions going into applicable accounts, but it’s also critically important for exchanges to ensure that whatever rogue OTCs/nested services they do business with are compliant themselves — and it’s critical for exchanges to conduct regular assessments of these business customers of theirs to ensure they are adequately compliant as well. Otherwise, there can absolutely be a threat of enforcement actions and arguably legal liability as well.

Concluding Thoughts

Many exchanges are required by respective regulators to have a compliance policy that includes many of the basic aspects we’ve discussed here. Not all exchanges will elect to do this, however. There will always be ‘markets’ and exchanges that cater towards facilitating illicit transactions because it can be profitable to facilitate illicit activity. The fewer the options, the more potential for profit there is.

The level of knowledge pertaining to compliance that I’ve personally witnessed from some CEOs would make most people’s heads turn, including those that have no knowledge/experience of compliance. 

For those who work in compliance specifically — I’m fully aware that most of the things I’ve described would be considered common sense to you. Unfortunately, not all exchanges choose to implement common sense, and the typical underlying reason is for financial gain.

The US government has fired a big shot across the bow in its enforcement action against Suex. It’s perhaps the first indication that ransomware and cybercrime, in general, is starting to be taken more seriously. Governments have taken action against a variety of cryptocurrency exchanges before. BitMEX being one of the more recent, BTC-e being one of the oldest, with plenty in between. There will undoubtedly be more in the future. But Suex is the first instance where the US government has classified a cryptocurrency exchange into a group with terrorists. 

 

Nothing in this article is to be construed as legal advice.