KYC, AML, and the SEC: Exchange and ICO Regulations
Subscribe to our newsletter

Join our mailing list for the latest news, exclusive offers and community events.

article avatar

As more and more money flows in and out of cryptocurrencies and cryptocurrency exchanges, these institutions are finding themselves subject to the laws and regulations imposed on the broader financial services industry.  Some find that this is burdensome, and detracts from the libertarian, anti-bank ethos of cryptocurrency. The crypto-to-crypto exchange Shapeshift, for instance, refuses to serve customers in the state of New York, due to New York’s controversial BitLicense.

Other firms such as Coinbase have a more positive stance on regulation.  In a testimony before the U.S. House of Representatives Capital Markets Subcommittee, Mike Lempres, the Chief Legal and Risk Officer at Coinbase, said, “A clear regulatory environment that fosters innovation while protecting investors is an important step in digital currency’s evolution as a technology. Regulatory clarity will encourage and accelerate entrepreneurial activity in digital currency, ultimately resulting in new products and services that benefit consumers and businesses.”

The cause of the controversy lies in the bundle of regulations designed to prevent financial institutions from being used to launder profits from criminal activities.  These regulations are referred to as KYC/AML (know your customer/anti-money laundering) laws.

In the United States, KYC/AML requirements are dictated by the Bank Secrecy Act (BSA), the PATRIOT Act, and the Office of Foreign Assets Control (OFAC).  

The Bank Secrecy Act requires financial institutions to provide internal controls ensuring compliance, provide independent compliance testing, designate an individual responsible for ensuring compliance, and provide compliance training for personnel.

The Bank Secrecy Act also mandates that financial institutions file certain reports on their customer’s activities.  These reports include:

  • Currency Transaction Reports (CTR): Banks must report cash transactions exceeding $10,000 in one business day.
  • Suspicious Activity Reports (SAR): To be filed if customer appears to be attempting to avoid triggering CTRs or otherwise appears to be laundering money or engaging in criminal finance.
  • Foreign Bank Account Report (FBAR): U.S. citizens and permanent residents must disclose foreign accounts valued at $10,000 or greater.
  • Monetary Instrument Log (MIL): Required when instruments such as money orders, cashier’s checks, or traveler’s checks in excess of $3,000.
  • Currency and Monetary Instrument Report (CMIR): Must be filed by any person or institutions that ships currency or monetary instruments such as money orders or cashier’s checks into or out of the U.S. in aggregate amounts greater than $10,000.

The PATRIOT Act imposes its own requirements on financial institutions, which are as follows:

  • Collect ID documents and taxpayer ID information (such as SSN) from customers.
  • Verify said information.
  • Recordkeeping of said information.
  • Comparison of information against gov’t records.
  • Notify customers of information collection procedures.

Lastly, the Office of Foreign Assets Control (OFAC) publishes a list of countries with whom U.S. citizens and permanent residents are forbidden from doing business with and ensures that U.S. financial institutions are not doing business with individuals, firms, or governments of sanctioned nations such as North Korea, Venezuela, or Cuba without special permission from the OFAC.

While the vast majority of cryptocurrencies, including the most popular—Bitcoin and Ethereum—are anonymous (or pseudonymous), the KYC factor comes into play on exchanges—the places where cryptocurrency is traded.

Theoretically, if one were to live entirely off of Bitcoin (meaning their income and spending were entirely denominated in BTC) it would be impossible to match that Bitcoin user’s real identity with their BTC wallet (provided that individual took proper precautions).

In the case of traders and investors who move money between crypto and fiat, some requirements must be put in place to ensure that criminals are not utilizing digital currency exchanges to launder their ill-gotten gains.

In 2013, the Financial Crimes Enforcement Network (FinCEN) stated that digital asset exchanges operating in the United States were subject to the requirements stipulated by the Bank Secrecy Act.

The increase in regulatory scrutiny over cryptocurrency has been a boon to third-party KYC providers such as Ofindo, which saw a ten-fold increase in digital asset-related business in the last quarter of 2017.

In addition to the KYC/AML requirements stipulated by the Bank Secrecy Act, the PATRIOT Act, and the Office of Foreign Assets Control, digital asset exchanges must also follow directives from the Securities and Exchange Commission (SEC) and the Commodity Futures Trading Commission (CFTC).

In 2013, the Securities and Exchange Commission (SEC) charged a Bitcoin Ponzi scheme operator with securities fraud, effectively setting the precedent that scams involving digital currency constitute securities fraud.

The SEC has since focused its attention primarily on Initial Coin Offerings (ICOs), as the new capital-raising technique has brought up concerns that these token sales may constitute securities offerings.  

In July of last year, as the popularity of ICOs began to increase, the SEC published a memo warning investors about fraudulent ICOs.  In December of last year, as ICOs (along with crypto/blockchain itself) really began to take off, the SEC published another memo which issued essentially the same warning.

This March, the SEC issued another statement warning investors about ICOs, this time focusing more on the unregulated nature of the exchanges used to trade ICO tokens.

In April, Director of Corporate Finance at the SEC William Hinman testified at a Congressional hearing that his division was carefully examining ICOs, and believed that, as long as there was a central actor profiting off of the token offering, that said sale most likely constituted a securities offering.

In May of this year, the SEC launched a fake ICO—HoweyCoin—to show investors how easy it can be to get scammed by a fraudulent coin offering.  The HoweyCoin website included several obvious red flags such as accepting credit card payments and guaranteeing returns.  If one clicks on the “buy tokens” button, the link directs them to an article on the SEC’s website about fraudulent ICOs.

While warning investors about fraud in the ICO space is certainly important, one could argue that what is really needed from the SEC at the moment is specific regulatory guidance, not general warnings or fake token offerings.  As the popularity of ICOs continues to rise, however, it is inevitable that the SEC will be forced to lay down official guidelines sooner or later. To their credit, the SEC does appear to be considering the issue carefully, and has chosen, for the time being, to allow token offering to continue while a verdict is reached, rather than prematurely clamping down on the new capital-raising technique.

Some ICOs attempt to use SAFTs (simple agreements for future tokens) as a means to get around restrictive securities laws.  The logic behind issuing a SAFT as opposed to a fully-functional digital token is that since the SAFT is a promise of future value, rather than a conference of present value such as an equity stake, the issuing would not constitute a securities offering.

Undoubtedly, this is tenuous legal reasoning, and the SEC and other regulatory bodies would likely not be swayed by this line of reasoning.  However, there have been no statements from the SEC as to whether or not using a SAFT to perform an ICO does or does not avoid the classification of a securities offering.

Under SEC Regulation D (Reg D), a securities offering may exempt itself from the need to register with the SEC.  This regulation is designed to allow small companies which might not be able to foot the bill for an IPO to still raise capital.

If a company offers securities under Reg D, however, there are specific requirements it must adhere to.  One of which is that the security can only be offered to accredited investors (i.e., individuals who maintain a net worth of at least $1,000,000--not including their primary residence, and/or annual income of at least $200,000).

However, since many ICOs are performed anonymously, or, more accurately, pseudonymously, it may be impossible for the issuers of the token to verify that their investors meet the accreditation requirements necessary to participate in their ICO.

The growing pains are manifesting in the ICO space as the controversial capital-raising technique comes under greater regulatory scrutiny.  In one of the most successful ICOs of 2017, Tezos raised approximately 232 million dollars.  Now, the legal counsel advising the Tezos project has implored the firm to perform KYC/AML checks on its ICO investors nearly a year after the fundraising has finished.  The completion of KYC/AML checks will be necessary for investors to receive their promised Tezos tokens once the betanet launches.  Some have claimed that demanding KYC/AML verification to receive promised token goes against the ethos of a permissionless, decentralized system.

Given that the crypto space is full of innovators and entrepreneurs, it is not surprising that there are already firms hard at work trying to solve these issues.  On such company is Vertalo, a platform for conducting token offerings that operates in compliance with U.S. securities law.

To use Vertalo, issuers and investors must go through KYC/AML procedures, and verify their accreditation status in order to participate in the platform’s token offerings.  As the ICO space attracts more and more attention, it is likely that sooner or later, all token offerings will take place on (comparatively) regulated platforms such as Vertalo.

This article has focused on regulation in the United States, however other jurisdictions have put in place different rules on virtual currencies and ICOs.  Here’s a map of ICO regulations around the world:

Global ICO Regulations