One of the newest and exciting topics in payments is cryptocurrency. Bitcoin, the first decentralized cryptocurrency, arrived in 2009 and soon exploded in value. Its decentralized nature, made possible by blockchain technology, promised to disrupt the status quo in the heavily regulated payments industry.
Within years of Bitcoin rolling out, the number of different cryptocurrencies expanded into the thousands and virtual asset service providers (VASPs) set up crypto exchanges to allow people to buy and sell various cryptocurrencies. By January 2020, the cumulative market capitalization of crypto totaled over $271 billion.
Although the growth of crypto has been remarkable, many consumers and financial institutions remain hesitant to buy and sell crypto assets because of security concerns. If VASPs want to become a part of people’s everyday financial lives, they must embrace reasonable and responsible regulations, especially related to Know Your Customer (KYC) identification and authentication.
To learn more about how VASPs can secure crypto exchanges through better KYC solutions, PaymentsJournal sat down with Anatoly Kvitnitsky, VP of Growth at Trulioo, and Tim Sloane, VP of Payments Innovation at Mercator Advisory Group.
Most VASPs have weak KYC requirements
The current state of KYC compliance among VASPs around the world is weak. As the graph below indicates, at least half of VASPs in all regions of the world have weak or porous KYC standards.
“It’s quite concerning,” said Kvitnitsky, but “to be honest, I’m not surprised as a participant in the cryptocurrency ecosystem.” He explained that of the dozen or so initial coin offerings—which are commonly known as ICOs and refer to when a cryptocurrency goes public—he’s participated in, only one did proper KYC procedures.
A lot of the time, KYC will consist of having someone take a picture of themselves holding their ID, and an employee then approving or rejecting that photo. That “is not meeting KYC, no matter what country you’re in,” said Kvitnitsky.
Sloane pointed out that by failing to adequately secure exchanges through effective KYC standards, VASPs have created an opportunity for fraudsters. “The exchanges are the most untrusted area of crypto out there. If you take a look at where the [fraud] losses have occurred, they’ve almost all happened in the exchanges themselves,” said Sloane.
Meet the toughest requirements to operate anywhere
Since crypto exchanges span the world, it can be hard to figure out which countries have what regulations. Some countries, especially those in Europe, have much stricter KYC standards, even for cryptocurrencies, while other countries are considerably more permissive.
To navigate the differing regulatory frameworks, Kvitnitsky explained that VASPs should set their sights on becoming compliant with the hardest regulatory markets first. “We always recommend at Trulioo [to] pick one of the hardest markets in terms of regulatory compliance,” he said. If a VASP can meet the requirements there, then they can meet the requirements almost anywhere that allows crypto exchanges.
Sloane agreed with this approach, adding that “in my estimation you go the highest ledge you can and the Bank Secrecy Act is probably that.” The act is aimed at preventing criminals from hiding or laundering money. “If you want to protect your brand, you better make sure that you’ll be able to withstand an investigation for terrorist funding or some other bad act,” he continued.
How to improve KYC standards
“It all starts with an education layer,” began Kvitnitsky. Too many exchanges are simply unaware that their KYC measures are inadequate. VASPs that have users take selfies with documents, for example, must realize the problems with that approach and learn about better alternatives.
Then VASPs should focus on the legal layer. As discussed, different regions and countries have different rules around compliance. VASPs should determine which market they want to operate in and then plan accordingly. Once they have KYC solutions in place, VASPs must then focus on training and usability. Ensuring compliance can require a lot of engineering resources, so VASPs should keep that in mind as well.
Best practices for identification and verification
Since Trulioo currently supports 3 of the top 5 crypto exchanges in the world, it has some insight into what these exchanges are doing right when it comes to KYC.
The most successful exchanges are ones that have built trust with users. They have been able to do so by taking a risk-based approach that’s similar to approaches taken by normal financial institutions. In fact, many of the largest and best funded exchanges have been hiring ex-bankers and ex-financial institution employees to help bolster compliance capabilities.
As a result, these successful exchanges “adhere to the same kind of KYC and AML [anti-money laundering] processes [that banks use]. And frankly, as users, it makes us feel better when the company is taking those precautions,” Kvitnitsky noted.
Finding the right partner to improve KYC
No matter what solution a VASP uses, it is important that they balance speed with security. If the identification and verification process is too long or onerous, users will likely abandon the platform.
Luckily for VASPs looking to make exchanges more secure without adding too much friction, companies like Trulioo can help.
“We take a stance that data rules all when it comes to KYC,” said Kvitnitsky. The safest way to meet KYC requirements is to verify incoming data against data from government agencies, credit bureaus, and other trusted sources. “We do it through a single API where we integrate over 400 different data sources,” he continued. Trulioo’s approach also combines artificial intelligence and manual reviews for document verification.
“What’s important to us is users being able to trust the VASPs and exchanges that they’re working with through the whole process,” concluded Kvitnitsky.