As part of our webinar series, Passbase brings together professionals applying digital identity in their respective industries. Below, we summarize highlights from our latest webinar discussing the crypto regulatory landscape.
Keep reading to get insights from industry professionals James Park, Chief Compliance Officer at Zebedee and Neel Popat, CEO and Founder of Donut. Zebedee is a FinTech company working with game developers to pioneer bitcoin gaming and Donut is a mobile app that is the easiest way to save and earn high yield with DeFi. James and Neel join Jillian Williams from Cowboy Ventures to share their experience from finance and how they apply their regulatory expertise to the crypto industry.
Jillian: James, Neel, how are you thinking about what’s to come within the crypto regulatory space?
James: Let me start with what’s happened with regulations since 2019. The FATF (Financial Actions Task Force) came up with the recommendations for crypto, where countries should make sure they have a KYC regime for the crypto industry. Now, FinCen, the SEC, and state regulatory bodies are moving along. Now, the US has a legislation where transactions the equivalent of $10,000 must be reported to the IRS, in some instances even when broken down into smaller amounts. Big industry players such as Coinbase, or Kraken are having to reckon with new rules, while enforcement will trickle down to to smaller related industry players.
However, the Patriot Act was introduced in October, 2000, but it took about two or three years for financial institutions to comply with the new regulations.
Jillian: And with that, moving to the consumer landscape. Neel, compliance regulation can often sound really complex to customers. How do you think about simplifying that complexity and educating the customer?
Neel: Yes, we’re a consumer facing app and we think every day about abstracting away complexity for our users. Users come to us to take care of that backend burden for them. They don’t want to be using a service where they put dollars in, get dollars out and earn a return on where they are thinking, “Is this platform compliant?” For us, the imperative is to take care of that. We are actually a platform that is regulated in the US. We have a BSA program. We do KYC on customers because our long term view is that is actually where the industry wants to go.
If you break it down in, in our view, the regulator wants to protect three things:
- We want to stop money laundering.
- We want to stop tax evasion.
- We want to stop people selling products that are not real.
Most people in the industry say that that kind of sounds sensible. We’ve said, “Hey, we think that this industry is is actually going to be fully compliant over the next three, five years. And we’ve, we’ve gone down that path early.”
Jillian: How do your compliance programs balance delivering a smooth identity verification experience for your customers, but also robust customer due diligence? What elements of your programs address current regulations versus setting the foundations for the requirements that you think may come in the future?
James: Under the current CIP requirements there are two parts. One is document-based verification such as an acceptable ID, and the other is non-documentary verification to identify if a customer’s ever been involved in a criminal activity (such as watchlists). Software for these are sophisticated with facial recognition and database checks and there are automated solutions for the financial and crypto industries.
However, the backend setting still requires you as the company to choose what level you can accept, such as a point scale, like in 71 point out 100 points. You have to set that risk threshold with a methodology and rationale.
Neel: So for us, getting people’s identity data is probably one of the biggest UX pain points. We want to get people in and out of that experience as quickly as possible. When it’s taking too long to verify for users there’s dropped off and that obviously hurts our business. You have to strike a fine balance between taking the right amount of information to verify them versus taking potentially too little information that can hurt you. When we think about automated solutions and our KYC process, the main thing is to get people through from A to B quickly and while also being able to verify someone with some level of significance that they are not fraudulent.
Jillian: What is top of mind for you when it comes to regulation? What are the benefits versus points of friction for businesses and customers and how do you think the friction can be smoothed?
Neel: I think the biggest pain point we see is getting getting people through to give things like social security number and their ID. People are usually comfortable giving their name and email address, but when you start getting into ID and social, that’s where we see like a huge drop off. So we’ve thought from first principles on how to devise the experience, so that it doesn’t feel too onerous.
We’ve made our businesses super transparent on why we are collecting that piece of information. If you explain to people you actually need this and this is protecting the platform, most people are fine with that. Users get confused when processes don’t have that clarity — when users cannot see the point of, say, a video authentication or give a bank statement. We think about designing an experience where users will say okay, this is helpful for me to create a safe experience with Donut.
James: For many cases, you can give users knowledge — why you collect any information and also a privacy policy where you will not share this information. So, we need to educate a consumer and customer, the same time that it is required collect the customer in order to offer our products.
Jillian: Are there any regulations from traditional finance that may be more challenging for the crypto industry to adopt? What regulations are top of mind for you, and what are the implications on how you do business?
James: I think one of the challenges the industry faces is what I call call travel walls. I think major crypto exchanges will need to develop something similar to the Interbank messages (such as SWIFT) with virtual asset messages that are standardized. If I send money to you as the originator, I have to disclose my information and as a beneficiary, you have to disclose your information. Right now, it’s difficult for people from one exchange to another exchange to carry over enough personal information. I think they’re in a process of working with regulators.
Jillian: How do you deal with the educational hurdles that people need to get over and some of the uncertainty and constant changing within the regulatory landscape?
James: Since we don’t have any central government or governing body for crypto, regulators are going after fraud. For example, when a cryptocurrency is marketed as pegged to $1, that should mean that a company has a certain cash or dollar reserve to sustain that. But when people looked at a certain case, it was only 1.2% was actual cash while other assets were basically in stocks, commercial papers or others. Lesser known crypto coins are promoted to make larger returns than other investment products and so regulators are going after consumer protection and fraud. There are different ways to segment regulations, such as consumer fraud, money laundering and terrorist financing.
Neel: I like your question about regulatory evolution. When Coinbase first started in the early crypto businesses people didn’t know how to regulate this. Was it money transmission? Was it securities law that applies here? Then, people said, “Hey, this looks a little bit like currency exchange. Let’s bring in money transmission” Then, all the exchanges got regulated.
No one’s arguing that we shouldn’t regulate this industry. People just say just needs appropriate regulation. There are some businesses that say, for example, doing exchange activity that may be falling under regulation. Regulation kind of cycles, where it hardens and softens. This is just the next step in government and businesses trying to work out how this should be protected for consumers, but lso delivering a level of regulation that’s sensible and not a barrier to innovation.
Jillian: How do you best stay ahead or make sure you’re tracking the newest regulations that are coming down the pipe?
James: For example, if you are a commodity, you have to follow CFTC rules. If it’s money tranmission, we have to follow FinCen guidlines. As an investment grade offering, you have to follow the SEC. The applicable laws will come down to the industry segment you’re in.
Neel: You need good regulatory counsel to keep on top of what’s coming. I think it’s just the job of the founder to really get on top of these regulations as someone that runs a business in the space. For me, it’s about 20% of my time and then there are other people who help us. You need to keep abreast of the news and developments. We have like alerts set up for new regulation.
Jillian: Crypto by nature also can be a global product. How do you deal with that in terms of dealing with different regular regulatory bodies in different countries?
James: I think the backbone of AML regulations like BSA and other regulations out there is establishing robust CIP programs in institutions. Regulators or law enforcement agencies, if they ever request information by subpoena, you will able to provide information. This is why it’s important to know who your customers are, what kind of customer you are dealing with. Later on, you will have to risk rate customers into high, moderate or low risk. The high risk customers you will have to do EDD, enhanced due diligence, or have transaction monitoring. So, start with a KYC, in order to operate in any kind of financial related industry in business, such as a DeFi or wallet providers, or exchanges.
Neel: This is a completely independent financial system that’s being created. A lot of the old regulation wasn’t applying or wasn’t built for a completely global independent financial system where there’s no central parties, and there’s these protocols that do amazing things. You’ve just got to respect the local regulator. If you operate in that geography, you’ve got to respect what they want. Usually, they want exactly the same thing. So James outlined, it’s a robust CIP program so that you are facilitating anti-money laundering. Maybe we need to figure out a way how to standardize some sort of global regulation over time for this asset class.
James: I would like to add that CIP applies to the United States within the territory. Also, transaction monitoring is your company’s matter to handle. You should have a country risk rating and what countries you want to deal with or might be too costly to have an ongoing monitoring program. You should avoid falling into regulatory scrutiny in terms of operation. It’s difficult because there are no rules beyond these guidelines to establish KYC. Your local regulation supersedes global guidance, I would say. However, the US was the pioneer for laundering and terrorist financing law and is a benchmark to follow.
Jillian: Do you have any advice or tips for cryptocurrency companies on how they should be thinking about getting compliant and regulations today and in the future?
James: Yeah, as their leader, the CEO and founder of crypto companies may not be aware of what is going on with regulation. However, as long as you have reasonable step toward establishing KYC (know, your customer) base, I think you’ll be fine. Regulators are not going to come in the first year of operation. Regulators will work with you to give your recommendations. Regulators also understand this is an emerging industry in the digital economy. Regulatory enforcement goes to the largest, institutions such as Coinbase that can afford to keep a compliance department. If I would like a new startup business, I will make sure that any customer trying to open an account with me, I will have reasonable belief that this customers is something he provide true identity that we’ll accept. Then other things get added on top, such as transaction monitoring and other customized compliance programs based on the complexity and size of your business.
Neel: If there are people that are starting crypto companies or working in DeFi already, it’s actually about thinking about yourself as a FinTech. Don’t act like you’re unaware of the regulation, because I think that that will only hurt you in the long run. Actually have a very sensible regulatory strategy.
If you look at neobanks, some big ones have had very different regulatory strategies. One went with revenue partners and is not fully regulated whereas the other went fully regulated. You just have to think about your and regulatory strategy, which is different for every business. You can create your competitive advantage if you can get it right.
Jillian: There are crypto and DeFi companies that are at the intersection of traditional finance and DeFi, so are there different things that they need to watch out for, especially from a regulatory perspective?
James: Yeah, there could be collaborations between traditional finance. For example, you can have a third-party CIP with reputable institutions and share a customer packet or customer database. You can enter into these agreements to ease up your KYC burden, when there’s an agreement that at a certain time and circumstance they can share their information. If you are a wallet provider, you can certainly share the information because you share the customer with the same product. There’s many ways to help each other.
Neel: I would encourage companies to think of themselves as classical FinTech if you’re at the intersection. Also, work through the regulatory challenges together. People in your industry are your friends — they’ve worked through the things you’re working through.
When is the best time to implement KYC for AML?
James: Best answer is the time of account opening. My suggest would be rather than to have missing or incomplete CIP information, to have them come back and open it. You do not want to open an account based on contigency and ask a customer to supply supporting documentation within 30 days because you might not have ongoing monitoring set up yet and then they will transact.
Neel: You could segment KYC to three different buckets, such as collect this for account opening or that for transactions. I would say get it all in one go, so that when you’re about to transact, the user isn’t missing this or that.
James and Neel also answered a number of audience questions, such as whether we can expect similar passporting and dealing with uncertainties as a B2C DeFi startup. Neel spoke of paying attention to how new and emerging protocols and innovation will be thought of and regulated. James cautioned the audience to understand when regulations apply, such as when bitcoin is treated as a currency and whether companies may need to register as an MSB in the US even if they are only handling bitcoin.
After the main discussion, James and Neel also responded to numerous audience questions.
You can rewatch the full webinar here.
Stay tuned for the next webinar by signing up for our newsletter below. Considering starting your KYC program? Sign up with Passbase here.
