As operators and regulators alike feel their way toward a regulatory regime for digital currencies, any insight into the thinking of a key regulator should be considered carefully. All the more so when that regulator is New York’s Attorney-General.

We look at the New York Attorney-General’s Virtual Markets Integrity Initiative Report released last month and draw out 10 Best Practice Tips for digital currency exchange operators looking to stay ahead of the regulatory curve.

Introduction

Last month the New York State Office of the Attorney General’s (OAG’s) “Virtual Markets Integrity Initiative” released its Report addressing “areas of particular concern to the transparency, fairness and security” of virtual asset trading platforms.

The Report drew on the results of a survey and questionnaire sent to thirteen significant industry players in the virtual currency sector, nine of which responded.

Key points from the Report

We have selected below some of the key areas of regulatory concern highlighted in the Report. We have taken the liberty of assembling the points below in what we would argue reflects a descending order of importance and priority.

Jurisdictional questions

Cyberspace and the Westphalian system of sovereign states make for strange bedfellows. It is trite to say that services offered online – virtual currency exchanges for example – can in theory be offered from any location, to any person in any other location.

The flip side of that coin for virtual currency exchanges is that unless you have robust Know Your Customer (KYC) and geo-locating procedures, you cannot credibly assert that you do not operate in a particular geographical jurisdiction.

Consider the recipients of the OAG’s industry survey who declined to participate in the survey on the basis that they did not allow trading from New York.

The OAG investigated these claims and as a result of its investigation, referred three entities to the Department of Financial Services “for potential violation of New York’s virtual currency regulations”.

Best practice tip #1: operators should be transparent about where:

1. their operations are geographically based;
2. the relevant operating entity is established or incorporated; and
3. their customers are located.

Best practice tip #2: operators wanting to expand into a new territory should consider locating their assets and entities within that jurisdiction. This gives comfort to customers and to regulators alike.

Identify verification (aka “KYC”)

Practices and policies relating to confirming the identity of exchange customers vary dramatically – this was evident even across the relatively small sample size covered by the Report.

Traditional financial institutions are well versed in KYC requirements. However the virtual currency world has yet to grasp this challenge effectively.

Digital currency exchange operators need robust KYC procedures – including the ability to detect when customers are using VPNs to access their platform - for two reasons.

First, without them, policies that require access to be controlled or restricted – for example, to prevent abusive trading activity, or to prevent access from certain geographical locations or jurisdictions – are meaningless because they cannot be enforced.

Second, and possibly more importantly, if the cryptocurrency industry wishes to shake off the stigma of being mainly about facilitating money laundering and other financial crime, it must do better in this area.

Best practice tip #3: operators should develop and implement robust customer verification and onboarding procedures.

Cybersecurity

There have been many high profile instances of digital currency theft; see for example the recent Tech Bureau heist in Japan last month.

As a related issue, the extent to which customer funds are protected from loss and theft is of keen interest to regulators.

But it would appear that there is no systematic approach across the digital currency industry by which holdings of digital currencies can be reliably ascertained, audited or verified.

If that is the case, a platform will not be able to reliably identify losses – for example, in the case of a cybersecurity breach.

To exacerbate the matter, the question of whether insurance might be available to respond to virtual currency theft or loss is currently largely untested.

The wider industry issue appears to stem, at least in part, from the lack of a uniformly understood set of cybersecurity standards for digital currency exchanges.

Until such standards can be formulated, digital currency exchanges need to look to cybersecurity best practice more broadly and to commonly accepted cyber and IT security standards, such as ISO/IEC 27001:2015 and ISO/IEC 27018:2014, and the US Government’s National Institute for Standards and Technology’s Cybersecurity Framework.

The Report specifically mentions the following cybersecurity measures

1. applying default two-factor authentication;
2. allowing IP-address whitelisting by customers;
3. “cold-storage” of cryptographic keys (i.e., storage that is not exposed to the internet); and
4. conducting penetration testing.

Best practice tip #4: exchanges should develop and implement appropriate cybersecurity standards, having regard to broader IT industry standards, and bearing in mind the four basic cybersecurity mitigation strategies identified in the Report.

In Australia, cybersecurity expert and Australian Digital Commerce Association (ADCA) member SecureWorx Pty Ltd is working with ADCA and its members to design a cybersecurity assessment framework for digital currency platforms.

It is currently anticipated that the new standard will become available to ADCA members for implementation during the first half of 2019. ADCA will issue certifications to members that successfully implement and comply with the standard.

Chris Greig, Sales and Marketing Director for SecureWorx, said, “the standard will assist crypto currency organisations to develop the capabilities to address the cybersecurity threats that exist in the globally-connected network in which they do business. In so doing, certified ADCA members will give confidence to customers, regulatory authorities and critical third-party business partners that they understand the significance of, and are actively managing, the specific cybersecurity risks in this environment.”

Abusive trading activity

Individuals acting on their own cannot realistically compete with traders who have access to technological advantages such as high-velocity trading or the ability to colocate with or cross-connect directly to an exchange.

In serious cases, levels of automated trading may make up such a substantial proportion of platform trades that currency values are in effect being artificially manipulated by a few key players.

Platforms with ineffective KYC systems will not be in a position to detect, let alone discourage or prevent, users operating multiple accounts for the purposes of conducting artificial trades.

Best practice tip #5: digital currency exchanges should disclose in their publicly available policy documents whether, and to what extent, traders are permitted to use technological measures that provide an advantage. In addition, measures should be in place to ensure that operators can detect and prevent abusive trading activity.

Conflicts of interest

Closely related to the above, it would seem that a number of platforms engage in or permit activities that could conflict with the interests of casual third party users of the platform.

This may include where platform employees are permitted to trade, particularly where they may have access to information that is not generally available and may be price sensitive. Many exchanges severely limit, or prohibit altogether, trading by employees on the exchange’s platform.

Other areas in which such conflicts of interest arise may include where the exchange itself trades in large volumes of cryptocurrency on its own platform.

Best practice tip #6: digital currency exchanges should disclose in their publicly available policy documents whether, and to what extent, the platform or its employees or associates engage in activities that may put them in a conflict of interest situation with their customers.

Fee disclosure

Unclear and/or less than fulsomely detailed information about the different fees and charges that may apply is obviously undesirable.

Certain fee structures favour “professional traders over retail customers”. In some cases, professional traders enjoy special bilateral fee arrangements which are not visible or available to retail customers.

Best practice tip #7: digital currency exchanges should ensure that their public disclosures about fees are sufficiently clear and detailed and are not misleading (by omission or otherwise).

How are crypto-assets selected?

With the explosion of new coins onto the market, exchanges must decide which digital currencies to offer.

Financial market regulators – ASIC included – appear to be moving in a policy direction that will require a case-by-case determination as to whether a digital currency is or may be a financial product.

It Is not clear at this stage what the relevant criteria for this determination will be, but it is likely that factors such as the longevity of the coin, the aggregate value of all coins of that type on issue and its history in the market will be relevant.

As far as offering digital currencies on an exchange is concerned, operators would be well advised to be able to articulate the criteria by which coins are selected for listing. Such an approach will stand in stark contrast to operators who uncritically list as many coins and pairings as possible in the interests of maximising revenue or, indeed, when coins are listed because the platform operator receives a fee for doing so.

Best practice tip #8: digital currency exchanges should develop a set of criteria by which they assess whether or not to include a digital currency or digital currency pairing on their exchange. Where a fee is received for the listing of a coin, this should be publicly disclosed.

Policies and transparency generally

One repeated area of criticism in the Report is the lack of transparency offered by operators into their policies, processes and procedures generally. Some specific issues in this regard are discussed above.

Expect additional regulators such as the ACCC to enter the fray if publicly facing documents are misleading or inadequate.

Best practice tip #9: digital currency exchanges should ensure that their public disclosures and policies generally are sufficiently clear and detailed and are not misleading (by omission or otherwise).

Acceptance of "fiat" currency

In order for exchanges to accept “fiat” currency (i.e., “real” money), they must have a relationship with a traditional financial institution.

In order to have such a relationship, the exchange must meet certain criteria. In theory then, a digital exchange that can accept fiat currency may be considered to have an element of legitimacy that “digital only” exchanges do not.

Best practice tip #10: digital currency exchanges should establish banking relationships with traditional financial institutions.

Conclusions

In our view, the Report lays the groundwork for a model of regulatory “best practice” in the digital currency field.

Our own regulators - chiefly ASIC and AUSTRAC - will undoubtedly find many points in this Report which resonate as they flesh out regulatory approaches in the coming months.

Operators with established exchanges or looking to set up new exchanges, should also look carefully at this Report and ask themselves whether they can get ahead of the regulatory curve by addressing the issues raised by the Report.