Attorney general’s brutal crypto exchange review is just the start
A heated argument is a healthy argument... within reason.
On 17 April, the New York Attorney General Eric T. Schneiderman launched the Virtual Markets Integrity Initiative. It was a fact-finding mission rather than an inquisition, and was largely welcomed at the time by an industry hungry for the opportunity to prove its legitimacy and commitment to customer safety.
The results might be less thrilling, and the overall tone of the findings might be described as politely tempered, yet brutal.
The initiative took the form of a detailed questionnaire which would have been a real pain to complete. You can find the full list of questions here (PDF).
All information in the findings reflects information voluntarily provided by participating exchanges. And while the exchanges were asked to provide confirmation of the information they provided, the Office of the Attorney General (OAG) cannot vouch for the accuracy of their responses or confirmations.
It also notes that what you're seeing in these results probably represents the pinnacle of industry legitimacy, or somewhere close to it. This is because cryptocurrency exchanges that want to trade in New York need to get the famously onerous and expensive-to-obtain New York BitLicense, and many of the respondents either achieved or it were willing to go to the trouble of applying for it. This is well above the industry norm.
A total of 14 exchanges were invited to participate, and 10 did while the remaining 4 bowed out while saying that they didn't accept trades from New York.
Those four exchanges were then investigated to see whether this was true, and three of them were then referred to the Department of Financial Services (DFS) for potential violations of New York's virtual currency regulations.
The results in the review are from the 10 participating exchanges
It's not pretty.
They're rife with potential conflicts of interest
It's common, the report noted, for exchange operators to use their own platforms as a trading venue. Similarly, they're often issuers of a cryptocurrency that's traded on their own platform (such as Binance BNB and many, many more). This is fairly common in the cryptocurrency world where exchanges will often issue their own tokens, and then obviously go on to trade them on their own platform, but it's still a potential conflict of interest. The same goes for exchange operators having holdings in other cryptocurrencies being traded on their platforms, either as an institution or as an individual.
This is compounded by platform employees, who might have access to non-public information, having cryptocurrency holdings of their own while using the same platform for personal use.
The result is "substantial potential for conflicts between the interests of the platform, platform insiders, and platform customers," the report noted.
To a certain extent, these may be unavoidable. For example, in the case of platforms trading their own cryptocurrency, it's perhaps not reasonable to subject these kinds of cases to the same restrictions as more traditional assets. But elsewhere, there's definitely room for improvement.
One of the keys going forwards might be to recognise which elements of cryptocurrency can and cannot be reasonably subjected to existing regulations.
"Rules and regulations will need to catch up with certain market realities that are unique to the crypto ecosystem; including global participation and around-the-clock trading. We don't expect to see a perfect solution from regulators any time soon, but there is plenty of good intent from our conversations in both the private and public sectors," says Ken Nguyen, co-founder and CEO of Republic.
"Trading platforms have yet to implement serious efforts to impede abusive trading activity"
Some exchanges have taken steps to police the fairness of their platforms, the report notes, but most haven't.
"Platforms lack robust real-time and historical market surveillance capabilities, like those found in traditional trading venues, to identify and stop suspicious trading patterns. There is no mechanism for analyzing suspicious trading strategies across multiple platforms. Few platforms seriously restrict or even monitor the operation of "bots" or automated algorithmic trading on their venues.
"Indeed, certain trading platforms deny any responsibility for stopping traders from artificially affecting prices. Those factors, coupled with the concentration of virtual currency in the hands of a relatively small number of major traders, leave the platforms highly susceptible to abuse. Only a small number of platforms have taken meaningful steps to lessen those risks."
"Protections for customer funds are often limited or illusory"
"Generally accepted methods for auditing virtual assets do not exist, and trading platforms lack a consistent and transparent approach to independently auditing the virtual currency purportedly in their possession; several do not claim to do any independent auditing of their virtual currency holdings at all. That makes it difficult or impossible to confirm whether platforms are responsibly holding their customers’ virtual assets as claimed.
"Customers are highly exposed in the event of a hack or unauthorized withdrawal. While domestic or foreign deposit insurance may compensate customers for certain losses of stolen or misappropriated fiat currency, no similar compensation is available for virtual currency losses. There are serious questions about the scope and sufficiency of the commercial insurance that certain platforms purport to carry to cover virtual asset losses. Other platforms do not insure against virtual asset losses at all."
Next time you meet an exchange that says it's fully insured, ask whether that insurance covers customer digital assets. The answer may or may not surprise you depending on how cynical you are. Cybersecurity insurance is a standard component in business insurance, but millions of dollars of customer cryptocurrency is an entirely different can of worms. Similarly, there's a tendency for assurances of protection to be accompanied by disclaimers along the lines of "literally everything is at your own risk, under no circumstances is the exchange responsible for anything whatsoever."
"Illusory" protection is an ongoing problem in the industry. But once again, it's worth considering the real differences and realistic limitations of trying to subject cryptocurrency exchanges to the same standards as other financial institutions. For example, insurance options for customer crypto tend to be extremely limited and expensive these days and were entirely non-existent a few years ago. In this respect, it's perhaps not (yet) fair to hold cryptocurrency exchanges to the same insurance standards as other financial institutions.
The findings are of great interest to a great many industry experts, touching on everything from cybersecurity to business strategy to regulations to cryptocurrency's core ideals of decentralisation and traditional libertarianism.
On the broader industry implications of the report
The findings will have ripple effects over the next six months to a year, says Franklin Bi, associate director at Wachsman Strategic Advisory Group and former blockchain strategy lead and VP for JPMorgan.
"The ramifications of this report will play out over 6-12 months, at least. The New York Attorney General’s Office leads the nation on these types of issues and this is as clear as it gets. Today is also vindication for everyone who sounded the alarm on how much improvement is needed across cryptocurrency market infrastructure. It may be tempting to dismiss this report as a one-off event, but it could be the beginning of a series of actions at the federal and state level," he said.
The findings are loud and clear, and exchanges that want to get at US customers should probably be paying close attention.
The report didn't entirely cover all necessary cybersecurity angles, noted Hosho CEO and founder Yo Kwon, but what was covered raised some serious issues.
"It’s frightening that two of the nine responding exchanges do not conduct penetration tests; every exchange should be conducting them regularly," he said. "I also recommend that exchanges offer an authentication mechanism even greater than 2-factor, while encouraging its usage.
"One missing piece in this investigative report is how the cryptocurrencies themselves are evaluated from a security perspective. Smart contract-based tokens should be audited for risks and wallets should be examined as well. Hopefully with reports like this, consumers can hold exchanges more accountable by abstaining from using those reporting poor security hygiene."
On heavy-handed authorities and government over-reach
"This report is another example of New York’s OAG overreaching its mandate by requiring businesses that operate outside of their jurisdiction to subject themselves to New York oversight," said Dash Core CEO Ryan Taylor. "This further cements New York's reputation as a state that is not friendly to cryptocurrency. It is deeply disappointing to see the state target well-run organizations that actively exclude users from New York, and take steps to prevent users from circumventing these controls."
It's worth noting that New York State's reputation for crypto-unfriendliness has been built over years, and that many of the surveyed exchanges have had extensive, expensive and unpleasant flings with New York regulators over the years.
In that context, this report might be seen as just more business as usual. Many of the participating exchanges have never been able to please New York regulators, and probably see no reason to start trying now.
For example, BitStamp poured over $100,000 into its BitLicense application before realising that it couldn't afford to keep throwing money at a license it might not get. Bitfinex also cut off customers from New York when the license came in, apologetically saying it simply couldn't justify the costs of serving NY customers. Kraken was a more emphatic example, walking out of New York with both middle fingers akimbo after the BitLicense came in.
Tensions might be running especially high now, which might also impact the future shape of regulatory moves.
At the time of its introduction, the BitLicense was mostly the domain of well-funded institutionalised crypto services. In fact, the first ever BitLicense was awarded to Circle in 2015, which happens to be heavily backed by Goldman Sachs to the tune of $50 million. To date, only five BitLicenses have ever been awarded, and all of them have gone to extremely large firms that enjoy close ties to established financial institutions.
Whether intentional or not, the effect over the last few years has been to kick the smaller crypto players out of New York. And now, right as the New York OAG releases a new batch of criticisms, Wall Street's biggest institutions are diving right into cryptocurrency from their Manhattan offices.
Many bitcoin ideologues see cryptocurrency as a way of challenging bank dominance, and a way of regaining economic control from the financial institutions whose reckless pursuit of profit plunged the world into the Global Financial Crisis (GFC). Satoshi Nakamoto all but explicitly said that bitcoin was a direct response to the GFC. From a more extreme perspective, it might look like regulators spent years fighting and delaying cryptocurrency just long enough for their pals on Wall Street to come in and steal bitcoin's potential for themselves.
This is worth considering to better contextualise Kraken's eyebrow-raising responses to the OAG's report.
Release the Kraken
Most crypto traders don't care about "licenses and regulatory approval, being protected from market manipulation, being protected from making risky investments [or] conforming to Wall St's image of what crypto markets should be," Kraken said in its public response to the OAG.
They just want a high quality, fast and secure platform to do their thing, Kraken said. And if that thing happens to be placing risky bets on risky assets in an unpredictable and potentially manipulated market, then who is the OAG to tell the customers they can't?
"We encourage regulators to resist the temptation to just swing at whatever's within arm’s reach. Think about your long-term strategy. If you make life too difficult for your neighbors, they might move away. And then you will be attempting to protect your consumers from the guys across the ocean, who couldn’t care less about your strong right hook," Kraken said. "Whether you think you have us by the balls or not, approaching us with some basic respect and having a conversation is always going to make the interaction smoother and help you get what you want faster than storming in with your 'or else' list of demands."
The OAG described Kraken's public response as "alarming."
Gambling or finance?
Other industry insiders share the OAG's concern.
"The OAG's crypto exchange report shines much needed light on the practices of US-based exchanges and outlines the many avenues of abuse traders may suffer at the hands of unscrupulous firms. But they haven't even begun to examine exchanges around the world being used by US investors. If and when this happens, many will be shocked," says Kowala CEO Eiland Glover.
"And, though Kraken didn't participate in the Virtual Markets Integrity Initiative, the company did provide truthful insight into unpleasant facts about what drives today's cryptocurrency markets: 'market manipulation "doesn't matter" to most crypto traders and "scams are rampant" claims Kraken.' How could market manipulation not matter? If traders are able to ride the waves of price spikes produced by bots and other market manipulations, they can possibly win big (or, of course, lose it all)—in other words, they are gambling. Who wants to go to a casino where you can only make 8% return on your money in one year—boring. It's so much more compelling to have the chance of making 100x in a few months.
"The problem with this state of affairs is that it can hurt individual investors and delay adoption of cryptocurrencies in particular as real payment mechanisms for everyday consumers and businesses. We need upstanding, transparent exchanges to help move the industry away from gambling and towards realising the true promise of cryptocurrency and blockchain for people around the globe."
Of course, the idea of moving cryptocurrency away from gambling and towards being an established financial service might be a bit of a false dichotomy. All finance is gambling, and from a strictly legal consumer protection standpoint, it's actually easier to gamble away all one's money on the well-regulated stock market than in a casino. Not only is there a false perception of minimal risk, but US casinos are legally obligated to turn away problem gamblers while financial services aren't.
Only one way forwards
Zach Warsavage, North American strategist at Elastos, said: "Government agencies' interest in cryptocurrencies and exchanges is a good sign for the industry as a whole, and one that indicates recognition of the technology's lasting power. The projects that will usher in mainstream adoption of blockchain technology and digital currencies must prioritise regulatory compliance first and foremost."
"The fact that a state regulatory body went through such a comprehensive process to better inform and protect its residents who trade cryptocurrencies is a promising step forward for the overall regulatory outlook in the United States," says Horizen (formerly ZenCash) president and co-founder Rob Viglione. "It is a little disconcerting to see many policies that should be in place to protect investors were, in fact, absent on a few exchanges. In order to foster innovation in the space, it is important to ensure the industry's market infrastructure is operating under the highest standards of regulatory compliance."
Despite all the frictions and ideological compromises, the general consensus might be that cryptocurrency regulation is the only way forwards. Even Kraken, among all its objections to the OAG, emphasises that its goal is to encourage widespread cryptocurrency adoption which can only be accomplished by working with regulators.
It's widely accepted that sensible regulation is the right road to crypto adoption, but there's still little agreement on how to best walk that road and no shortage of conflicting opinions, and it might take some time to get used to the novelty of an industry saying "no" to regulators – at least without also offering a suitcase full of money.
On the whole, all the frictions are probably a good sign of healthy debate where it's needed most.
Disclosure: At the time of writing, the author holds ETH, IOTA, ICX, VET, XLM, BTC and ADA.