The number of operators in the cryptocurrency arena has grown at an exponential rate, but has their understanding of operational risk and their mechanisms to manage it developed appropriately?
Whether they be exchanges, payment service providers, wallet issuers, or miners they experience some of the same and some remarkably different risks when compared to the rest of the financial services sector. A recent benchmark study from the Cambridge Centre for Alternative Finance, Cambridge University, examined industry trends as well as operators’ perceptions of the threats facing their company. Here, we’ll explore some of the risks operators identified and how they might be managed.
Difficulty of obtaining and maintaining banking and money transfer operator (MTO) relationships
On average, crypto-currency payment service providers rated this as their number one operational risk, especially those operators on the smaller end of the scale. 79% of the surveyed payment companies stated that they’d already established a relationship with a bank institution or MTO, but that the task of maintaining it was a significant challenge.
Currently, banks and money transfer operators are looking to free up space on their compliance officers’ desks to account for a series of regulatory overhauls and to leave capacity for any Brexit related surprises. Further, in the current environment, UK banks aren’t willing to facilitate the activities and undertake the risk associated with enabling the work of this rising sector that they perceive is filled with money launderers and cyber-criminals.
So, what can be done to better manage or establish these relationships with banks or MTOs?
- Professionalise and Organise – Payment companies can find it difficult, with their limited headcount, to manage their risk, compliance, and governance needs. But, having a suite of robust, compliant, and straight-forward policies is critical to expansion and reassuring banks or MTOs.
- Identify, Manage, and Record – Demonstrate a vigorous risk management program. Ensure that you’re capable of identifying and mitigating the risks these organisations fear the most – the risk of facilitating money laundering or terrorist financing.
Cyber Security and Hacking
Unsurprisingly, the prominence of cybercrime on risk registers in the financial services sector is mirrored by those operating in the cryptocurrency sphere, especially for exchanges as they regard this as their number one threat. In recent years, we’ve seen multiple examples of cryptocurrency operators being the victim of high value thefts. Parity, a digital wallet provider, and Mt Gox a Bitcoin exchange were robbed of $32 million and $473 million respectively. The latter sum being 7% of all the bitcoins in existence at the time.
So apart from ensuring your technical protections are up to date, what else can be done?
- Training – the Information Commissioner’s Office suggest that the number one root cause of all data breaches is human error. Resultantly, the best way to reduce this source of risk is by implementing a comprehensive security training program that emphasises the message that cybersecurity is a collective responsibility.
- Governance – don’t wait for GDPR to get on top of your data and IT governance. Ensure you have a policy backed vulnerability management program, that business continuity and disaster events are planned for, and that someone with the appropriate seniority has overall responsibility for managing this area of risk.
Failing to carry out the appropriate KYC/AML checks
Contrary to what many people think, the use of cryptocurrencies isn’t completely anonymous and free for the use of organised criminals and fraudsters. Indeed, many will be surprised to learn that HM’s Treasury even ranked digital currencies in their 2015 National Risk Assessment as being low risk for money laundering.
This low threat level is, in part, due to the work exchanges voluntarily carry out with own versions of KYC and onboarding. In the UK, these exchanges, while not part of the regulated sector, are still subject to some of the same domestic legislation that governs the prevention of money laundering, terrorist financing, and circumventing the sanctions regime. As a result, what should these entities be doing to comply with current legislation and preparing for future regulation?
- Onboarding and KYC – develop an onboarding policy and procedure with appropriate safeguards to prevent exchange facilities being used for the commission of financial crime. Also, it may be sensible to design your policy and procedures in such a manner that they can be scaled up in the likely event of future regulatory change.
- Blockchain Analytics – consider the use of third party blockchain analytics specialists to review the blockchain for suspicious transactions as a way of complementing KYC/AML checks.
Objectivus has a great deal of experience supporting cutting edge FinTech companies that deal in crypto and digital currencies. Our consultants are highly adept at managing these clients’ unique needs. This includes facilitating relationships with banking institutions, implementing a suite of compliant policies and procedures, as well as risk assessment and advisory.