What the Coincheck hack teaches us about Australian regulators

Posted: 31 January 2018 7:51 am


New laws are coming but will rely on exchanges being honest, as Philippa Ryan from UTS explains.

New risk rules for cryptocurrency exchanges will be put to the test with the latest hack on Japanese exchange Coincheck. Hackers stole US$660 million worth of NEM (its native cryptocurrency).

In the past eight years, more than a third of all cryptocurrency exchanges have been hacked. The total losses exceed US$1 billion. Because cryptocurrencies are almost untraceable, the rate of recovery after a hack is very low.

A number of countries (including Australia) have enacted legislative provisions to regulate the conduct of cryptocurrency exchanges. Regulators hope these will reduce the risk of attack and make operators more accountable for losses suffered by customers when an attack does occur.

These hacks don't just expose gullible investors to risk. They mean funds could be flowing undetected into the hands of money launderers and terrorists.

While cryptocurrency exchanges may operate like banks, they are not regulated in the same way as banks. There is no depositor's insurance and most exchanges remain unregulated.

Due to the almost anonymity afforded to users of Bitcoin and other cryptocurrencies, it is very difficult to trace missing funds. When a hack occurs, the attacker gains access to the virtual wallet operated by the exchange and then transfers the cryptocurrency to their own virtual wallet.

The Coincheck Hack

The Japanese exchange Coincheck hack dwarfs an earlier hack on Bitcoin exchange platform Mt Gox in 2014, which saw the theft of US$480 million worth of Bitcoin.

The operator of Mt Gox, Mark Karpeles was arrested and jailed for his role in the collapse. At the time Mt Gox was the world's biggest Bitcoin exchange.

He was charged with falsifying records and embezzlement, but there were no laws in place at the time to regulate the Mt Gox exchange and its trade in Bitcoin.

So as to bring virtual currency exchanges in line with international anti-money laundering and counter-terrorism financing measures, Japanese lawmakers enacted the Amended Settlement Act. Under these new laws, all exchanges operating in Japan must register and comply with rules. These rules include knowing their customers, employing sufficient staff, keeping balance sheets, and (critically) must keep all customers' deposits in "cold storage" (that is, on a computer hard drive that is not accessible via the internet).

These new laws mean that when an exchange is hacked or collapses, operators can be made liable for the way that they managed their customers' funds. Japanese authorities are threatening to prosecute the operators of Coincheck for their failure to comply with the new laws.

In their online apology, the operators of Coincheck have admitted that the hacked deposits were in a "hot wallet" (connected to the internet instead of being offline) and that this was due to "staff shortages". Both of these failures to comply will give the Japanese authorities good reason to prosecute.

Close scrutiny of the accounts will be likely to reveal other irregularities. But this is little comfort for Coincheck's investors. Coincheck has promised to return 90% of the lost NEM to its customers, but has yet to say how or when this will happen.

How would Australia's regulator react?

Japan is not alone in its scramble to regulate cryptocurrency exchanges. Just this month, the Australian government announced the Australian Transaction Reports and Analysis Centre (AUSTRAC) will have new powers to monitor Bitcoin and other cryptocurrencies. New legislation also forces cryptocurrency exchanges to disclose details of investors and transactions.

The new laws are part of the government's efforts to combat money laundering and terrorism financing. Exchanges will be required to identify customers more stringently and report suspicious transactions.

All transactions of $10,000 or more must reported to AUSTRAC. The report must include the names of the customers conducting the transaction, the names of the the recipient of the proceeds of the transaction, and how the transaction was effected.

Any failure by an operator to comply with these laws would result in heavy fines and possibly imprisonment. However, as breaches are almost impossible to detect, enforcement of these laws depends on honesty of the exchange.

One way to detect reportable transactions is to monitor the size of the deposits made into the exchange's bank account. However, individuals can create fake trading accounts and money-laundering syndicates breakup deposits into smaller amounts, so as to avoid raising suspicion.

Complying with AUSTRAC's new regulations will be expensive for exchanges. With Australia's new data breach notification laws coming into effect next month, gathering and securing sensitive information about customers and their deposits will be more onerous than ever.

The problem that faces regulators and investors is that the cost of compliance acts as a deterrent to registration. And because registration requires compliance, exchanges need to outlay significant capital before they start to trade. The sheer size of Coincheck's losses indicates it was a high-volume exchange and yet, at the time of the hack, its registration was still pending.

Traditionally, when a foreign exchange collapses and is unable to return customers' deposits, the regulator might prosecute the directors for operating without a licence, failure to comply with financial services regulations, or for insolvent trading. Insolvent trading, for example, attracts both civil and criminal sanctions.

When a cryptocurrency exchange is hacked, the operators and their customers are all victims, but the operators will be made liable for those losses. Under Australia's current laws, a major hack of a cryptocurrency exchange will be met with similar challenges as those facing the Japanese authorities in the wake of the Coincheck theft.

Any investigation of an exchange could involve the Australian Securities and Investments Commission (ASIC), the Australian Taxation Office (ATO) and AUSTRAC. The level of scrutiny that would follow, could reveal a multitude of sins, including some that are unrelated to the hack.

For example, ASIC has the power to prosecute for insolvent trading, operating a Ponzi Scheme and breaches of financial services legislation. The ATO could investigate whether GST was being paid on trades.

The ConversationFrustratingly for the customers and investors, seeing the operators punished does not reimburse them for their financial losses. Repaying deposits after a hack depends on whether the operators remain in the jurisdiction and have any funds of their own.

Philippa Ryan is Lecturer in Commercial Equity and Disruptive Technologies and the Law at University of Technology Sydney. This article was originally published on The Conversation. Read the original article.

Disclaimer: This information should not be interpreted as an endorsement of cryptocurrency or any specific provider, service or offering. It is not a recommendation to trade. Cryptocurrencies are speculative, complex and involve significant risks – they are highly volatile and sensitive to secondary activity. Performance is unpredictable and past performance is no guarantee of future performance. Consider your own circumstances, and obtain your own advice, before relying on this information. You should also verify the nature of any product or service (including its legal status and relevant regulatory requirements) and consult the relevant Regulators' websites before making any decision. Finder, or the author, may have holdings in the cryptocurrencies discussed.

Latest cryptocurrency news

Picture: Shutterstock

Latest crypto guides

Ask an Expert

You are about to post a question on finder.com.au:

  • Do not enter personal information (eg. surname, phone number, bank details) as your question will be made public
  • finder.com.au is a financial comparison and information service, not a bank or product provider
  • We cannot provide you with personal advice or recommendations
  • Your answer might already be waiting – check previous questions below to see if yours has already been asked

Finder only provides general advice and factual information, so consider your own circumstances, or seek advice before you decide to act on our content. By submitting a question, you're accepting our Terms of Use, Disclaimer & Privacy Policy and Privacy & Cookies Policy.
Go to site