How Do KYC and AML Procedures in the Crypto Space Help Prevent Fraud?

The curious case of FTX

Early November was not an easy time in Hong Kong’s office of a global cryptocurrency exchange, FTX. After battling their competitor’s comments on social media on November 6, the company paused withdrawals on November 8. In the next two days, after hearing a vague comment from their colleagues in the Bahamas, the Asia-based employees were told they did not need to come to the office anymore. This fiasco of FTX’s management and their implementation of the Anti-Money Laundering (AML) procedures became a sensitive topic in the community ever since. After months of active encouragement from various global regulators to set up and follow AML and Know Your Customer (KYC) policies, Virtual Asset Service Providers (VASPs) saw FTX carry on with their operations whilst having an eight billion dollar hole in the balance sheet. An obvious question to come to mind would be whether achieving full transparency is still in vogue. If implementing KYC and AML procedures is still necessary, what could be done better to prevent cases like FTX?

How Alameda Research and FTX could both be involved in transacting users’ funds while being completely separate entities is now only part of history that we might never get to understand. KMPG published their version of what happened in this comprehensive report. What personally surprised me the most in this heinous case was the fact that FTX was admitted to have a robust due diligence when it was evaluated by investors, such as Ontario Teachers’ Pension Plan, Sequoia Capital, and Temasek. I don’t think that FTX necessarily did not have any AML and KYC procedures in place, or had them poorly designed. Rather, I would like to describe below why I believe crypto companies still need to work hard on developing and implementing such strategies. Let me first start with what I think went wrong with FTX’s compliance.

What potentially went wrong

Did the FTX team do their best at diligently looking into their own AML procedures? Me and my team at AMLBot have spent over three years helping companies comply with AML regulations. When talking to customers, I always like to emphasize that the goal of an AML audit is to determine whether the company has an appropriate AML program and whether employees are following the required policies and procedures. FTX might have developed sophisticated AML and KYC policies for their firm, customers and counterparties. However, to determine that employees followed those procedures, an auditor had to speak to stakeholders and review relevant files, systems, and documents. I can only make an assumption now, that the exchange’s top management observed discrepancies in the firm’s books and compliance actions, and yet chose to close their eyes to such events. Such things would be promptly caught and flagged to relevant auditors and regulators when the management and board are diverse. In FTX’s case, access to information and decision-making power was concentrated in the hands of a very small group that seems to have followed the same moral principles.

Why KYC and AML are here to stay

I strongly believe that the push to design and follow AML and KYC policies will continue to come from regulators in all jurisdictions globally. Reuters looked at the need for such initiatives in their September article, describing the regulatory environment in the United States. Besides being a clear trend, following AML compliance is beneficial to crypto for several key reasons. Firstly, implementing such policies and tools similar to AMLBot can provide better transparency and enhanced audit to exchanges, custodians and other VASPs. This will subsequently drive greater demand to those platforms, as users will develop a deeper trust. For example, when transacting through a crypto exchange with wallet checks enabled by AMLBot, customers can be sure to verify funds sources and avoid taking large counterparty risks.

Secondly, implementing wallet and transaction checks helps avoid having assets of certain customers blocked and prevented from entering the ecosystem. With proper checks in place, customers can be sure to never get involved in transactions that would damage their wallets’ reputation and history.

And finally, putting AML and KYC tools in place makes it possible to immediately identify scammers and block their funds, increasing the level of service security by several times. A recent example is an investigation done by AMLBot’s team about sanctioned Iranian entities transacting with Binance. In the published article with diagrams, the research is described in a more detailed way. In summary, almost 75% of the Iranian funds that passed through Binance were in a cryptocurrency called TRON that gives users an option to conceal their identities and thus obfuscate the flow of funds. Allowing, or rather not catching, such activities on the platform exposes the exchange to the risk of being hacked. Back in 2019, Binance already experienced a security breach which led to hackers’ withdrawal of 7,000 BTC.

All of the above can help instill the exchange’s partners and stakeholders with confidence in its business. However, in my opinion, the key is to gather the right team with independent opinions to follow and implement the designed AML policy. There is no point in working only with people that agree with you and never point at a different way of doing things. Especially when it comes to following a strict regulatory environment, finding the right internal auditor is just as important as working closely with external stakeholders.