- Blockchain analytics companies tend to flag funds moving to and from private crypto wallets, with self-custody said to be the next fault line for crypto regulations.
- One such firm, CipherTrace, has examined privacy coins such as zcash, as well as non-custodial and peer-to-peer exchanges like ShapeShift, LocalBitcoins and Paxful.
- CipherTrace acknowledges compliance standards are evolving over time, having recently upgraded scores for ShapeShift and Paxful.
- Still, looming regulatory action in the U.S. could soon require due-diligence on self-hosted wallets.
- This is the second part of a two-part series. Read the first part here.
Regulated crypto is close to crossing the Rubicon – and we’re not talking about the next price breakthrough.
The steady creep of know-your-customer (KYC) requirements over firms that touch digital assets is now at the foot of private, self-hosted wallets.
This move, which begins with regulated exchanges being required to do due-diligence on non-custodial wallets they connect to, is already underway in places like Switzerland and Singapore, with the U.S. rumored to be next.
Self-custody (being your own bank) and carrying out peer-to-peer transactions with a modicum of privacy is how crypto was designed. And while the Financial Action Task Force (FATF) seeks to impose a traditional anti-money laundering (AML) framework onto virtual asset service providers (VASPs), it’s worth restating that crypto was born out of a desire to disintermediate traditional finance, rather than break the law or facilitate money laundering.
Deep in the thick of the standoff between crypto users and regulatory authorities are blockchain analytics firms such as CipherTrace, Chainalysis and Elliptic, which often act as a window into crypto for law enforcement agencies.
CipherTrace said it could could not comment on work with regulatory authorities or law enforcement agencies.
Rightly or wrongly, these sleuthing companies are guided by certain red flags when it comes to tracking funds around the cryptosphere, seeing regulatory risk wherever money moves in and out of self-hosted wallets, privacy coins, peer-to-peer exchanges and bitcoin ATMs, for example.
Self-hosted wallets remain outside FATF’s reach for now, but the proportion of funds moved between exchanges and private wallets is a focal point for blockchain sleuths. This is not necessarily to do with criminal activity, said CipherTrace CEO Dave Jevans, but simply because authorities can’t see what’s going on.
“It’s uncertainty that regulators see as problematic,” Jevans said.
In a previous article, CipherTrace provided a snapshot of exchanges domiciled in the Seychelles, giving each a KYC score. Here, the analytics company dives into non-custodial and peer-to-peer exchanges such as ShapeShift, LocalBitcoins and Paxful.
ShapeShift, the non-custodial exchange launched in 2014 by privacy advocate Erik Voorhees, has been an ongoing subject of KYC and fund-flow analysis by CipherTrace. In August 2018, ShapeShift hired former Hogan Lovells partner Veronica McGregor as the exchange’s chief legal officer, and soon after began requiring customers to reveal their identities to the exchange.
ShapeShift had been given a “red,” or weak, KYC score by CipherTrace, which had also highlighted the proportion of funds flowing in and out of private wallets as a likely indicator of illicit activity.
However, this score has since been upgraded to green by CipherTrace, which acknowledges that grading the KYC processes of exchanges is a “dynamic state of affairs.”
“We agree that their KYC processes today are green,” said John Jefferies, chief financial analyst at CipherTrace. “ShapeShift is a very unique company, with an interesting past. This has spurred us to look at this edge case. Before September 2018 they had no KYC, and those hundreds of thousands of transactions are still on the blockchain and some are involved in ongoing investigations.”
Hannah Burke, ShapeShift director of compliance, said the firm’s revamped KYC involves the collection of a full range of personally identifiable information (PII) as well as screening for sanctions and politically exposed persons (PEPs), which the firm has been independently audited on.
As far as funds coming from private wallets is concerned, Burke said ShapeShift is non-custodial by design. “Our users will typically use their wallets rather than transferring between exchanges. So it’s not a shock to me that private wallets make up a pretty good percentage,” she said.
“We’ve taken down the privacy coins because of their regulatory concerns,” said chief legal officer McGregor. “At least for the moment, we’re not working with those coins.”
Privacy coins such as zcash and monero, and privacy-enhancing wallets (Wasabi, Samourai and others) have valid uses, but are also clear red flags, said Jefferies of CipherTrace.
“There are ways to be compliant with tech like privacy coins,” Jefferies said. “There are ways to make them safe and establish the source of funds, so they’re not inherently bad, per se. However, they do carry with them additional risk.”
The Electric Coin Company, the creators of zcash, commissioned the RAND Corporation to explore the use of cryptocurrencies for illicit or criminal purposes, focusing on zcash.
Rand’s yearlong study showed the top cryptocurrency being used on dark markets or for money laundering and terrorist financing is far and away bitcoin, said Josh Swihart, vice president of growth at the Electric Coin Company.
"Of course, it’s not the number one currency, because the number one currency used for illicit purposes is the dollar, through regulated banks. But the main cryptocurrency is bitcoin, way ahead of even monero,” Swihart said.
In terms of what’s happening on exchanges with privacy coins, Swihart pointed to the U.S.-based exchange giant Gemini becoming the first regulated exchange to support sending funds to shielded zcash transactions. In support of zcash shielded deposits and withdrawals, Gemini stated that they use enhanced due-diligence and may request users provide information on their source of funds, Swihart said.
The zcash currency "is compliant under U.S. regulation,” said Swihart. “As evidenced by zcash support at Gemini, Coinbase and others, ShapeShift’s delisting of zcash, monero and dash does not mean that zcash isn’t compliant. It’s specific to ShapeShift.”
CipherTrace has some history when it comes to LocalBitcoins: A report from earlier this year found the Finland-based P2P exchange was the go-to place for criminal bitcoin transfers for a third year running.
CipherTrace gives LocalBitcoins a yellow KYC grading and remains categorical about its status, calling it a “high risk” exchange.
“These guys are used extensively in money laundering,” said CipherTrace CEO Dave Jevans.
In response to this, LocalBitcoins says CipherTrace is basing its view on historical data, prior to when the platform began implementing KYC.
“If we didn’t have KYC and other stuff in the past, that might have been the case,” said LocalBitcoins Chief Marketing Officer Jukka Blomberg. “But if you look now, our volumes relating to dark markets are very small. Overall, we are a very trusted and secure platform now.”
CipherTrace says it has identified consistently high levels of funds flowing from dark markets going to LocalBitcoins, with some 78% of one particular dark market going to the platform, according to Jefferies. In addition, much of the money going in and out of LocalBitcoins is from private wallets, Jefferies said.
“On the subject of private wallets, we recommend to our users not to keep funds in their LocalBitcoins wallet more than they are planning to trade with because we don’t want to act as a wallet service,” said Elena Tonoyan, the firm’s chief operating officer. “Generally, it’s not very safe to keep bitcoins on any platform. There are hundreds of reasons why users might have a couple of wallets or just choose to keep their bitcoins in private wallets.”
Tonoyan pointed out that LocalBitcoins’ revamped compliance procedures means KYC is done on all users of the platform, and it’s not the case that older or previously existing accounts are grandfathered into the new regime.
“I would like to point out that we do KYC on all our customers,” said Tonoyan. “Say you had created a LocalBitcoins account back in 2014, to continue using the platform you would have to comply with everything we are asking you to do. We give those users who want to continue with us a deadline of 30 days to comply.”
The LocalBitcoins tiered KYC system, which includes mandatory ID verification and face match when a user transacts over 1,000 euros ($1,190) per annum, kicked in for all users following the arrival of the Europe’s Fifth Anti-Money Laundering Directive (AMLD5).
P2P exchange Paxful has been upgraded to a green KYC score by CipherTrace.
In April of this year, Paxful made identity verification mandatory for U.S. citizens and residents, with European and Canadian users added in August, according to Lana Schwartzman, chief compliance officer at Paxful. Paxful has also teamed up with KYC experts Jumio and uses Chainalysis’ know-your-transaction (KYT) tools.
“We have various proactive controls in place, one of which automatically blocks send-outs to specific categories, clusters or addresses,” Schwartzman said. “For example, when the Twitter hack occurred, within minutes we were able to add the addresses associated with the hack and stop all outgoing send-outs.”
Analysis of Paxful fund flows carried out by CipherTrace shows “a fairly high percentage” coming in from gambling and high-risk exchanges, and going straight out to ATMs, said Jevans. In terms of private wallets, this accounts for some 75%, so the source of those funds is “questionable,” he said.
“So people are cashing out their fiat in a way that’s probably not KYC’d because the ATM vendors are probably some of the last – at least outside of the U.S. – to start to implement KYC and AML,” Jevans said. (Despite a recent drive to clean up its act, the bitcoin ATM industry is likely to remain a clear red flag for a number of reasons.)
Summing up, John Salmon, a London-based partner at law firm Hogan Lovells who specializes in fintech, said the CipherTrace findings show the difficult marriage of regulatory and ideological concerns.
“There are also reasons why people might want to use privacy coins and it doesn’t mean that they are all money launderers or criminals,” said Salmon. “It just comes down to a fundamental view they have on what crypto should be all about.”