The Takeaway:

  • Out of a list of 26 crypto exchanges domiciled in the Republic of Seychelles, approximately half have poor know-your-customer (KYC) procedures, according to blockchain tracking firm CipherTrace.
  • Analysis of certain Seychelles-based exchanges reveals the proportion of funds flowing to and from “high risk” sources and dark marketplaces.
  • In an interview with CoinDesk, the Seychelles Financial Services Authority acknowledged that the U.S. crackdown on crypto derivatives exchange BitMEX in October was a “blowup” for the island.
  • A former FinCEN compliance and enforcement director expects more actions from authorities investigating the Seychelles jurisdiction.
  • This is the first part of a two-part series. Read the second part here.

When it comes to island-hopping crypto exchanges with relaxed know-your-customer (KYC) procedures, Seychelles-domiciled BitMEX, whose senior execs were issued with arrest warrants in October, could be just the tip of the iceberg.

Places like the Republic of Seychelles, an archipelago off the coast of East Africa (population: 96,762), can be attractive to firms because of favorable tax treatment and ease of governance when setting up foundations.

Many such jurisdictions are trying to reinvent themselves to adapt to new economic realities. Perhaps they want to be the next fintech or crypto hub and are experimenting with sandboxes and the like. Of course, some aspiring crypto centers may be more cautious than others. This often depends on the type of services already provided. Malta, for instance, already caters to a number of investment firms, while a jurisdiction like Luxembourg has a well-established financial services sector.

Things start to go awry when an enforcement action like the one against BitMEX happens. In this case, the Seychelles bore the brunt of some headline-grabbing evidence that investigators had gathered, namely BitMEX’s former CEO, Arthur Hayes saying it would cost just “a coconut” to bribe Seychellois authorities.

It’s a point that remains contested by the Seychelles Financial Services Authority (FSA). 

“When we saw that comment, we as a jurisdiction and as an authority did seek clarification and an explanation about what was said,” FSA chief Steve Fanny told CoinDesk in an interview. 

Fanny claims the comment has been misconstrued. “It can be construed as if Seychelles is very relaxed and you can buy your way. Or it could be construed as there was a sarcastic comment that gentleman made while under attack,” he said. 

In any case, such an event is bound to bring further scrutiny. 

Definitely there’s going to be a tightening up now because this was a big blowup for the Seychelles.

CipherTrace, which works with exchanges and also has contracts with public authorities, has been conducting ongoing research into how crypto exchanges handle their KYC and anti-money laundering (AML) responsibilities.  

CipherTrace employs a two-pronged approach. Assessing KYC onboarding involves the straightforward legwork of setting up accounts at exchanges. KYC onboarding assessment is complemented by AML analytics, also called “know your transaction” (KYT). This is done by moving funds around the system, a kind of crypto mystery shopping, and identifying how much is linked to “high risk” sources.

A combination of KYC legwork and KYT analysis yields a risk score for each exchange.

KYC risk scores of VASPs registered in the Seychelles
Source: CipherTrace

A green score means the company’s KYC can pass muster with regulators. Yellow could mean the exchange’s KYC is “porous,” so perhaps its KYC doesn’t kick in unless a transaction is higher than some nominal amount. A firm might also be graded yellow if it has begun stringent KYC, but only for new customers. Red is weak, which generally means a user can carry on with little more than a valid email address.

The number of weak KYC exchanges domiciled in Seychelles (at least 12 with poor scores) is a cause for concern, especially in light of the BitMEX arrests, said CipherTrace CEO Dave Jevans.

“When it comes to these companies that are domiciled in Seychelles, is the government worried?” Jevans said. “I mean, it’s not a good look.”

Enforcement avalanche

There’s no doubt the BitMEX enforcement action has shaken up the jurisdiction.

“Definitely there’s going to be a tightening up now because this [BitMEX] was a big blowup for the Seychelles,” said Alison Elizabeth, the head of the FSA’s Regulatory Sandbox. “The central bank and the Financial Intelligence Unit, together with the FSA legal teams, are making decisions concerning what’s going to happen next.”

Like many jurisdictions around the world, Seychelles has been implementing the AML recommendations of the Financial Action Task Force (FATF), a global anti-money laundering watchdog. This has prompted an upgrade of Seychelles regulation. A new AML/CFT Act and Beneficial Ownership Act were introduced in March 2020.

FSA chief Fanny said that from early January 2021, firms in Seychelles will have to meet FATF requirements around KYC, AML and auditing, and there will be more fintech legislation introduced in March.

Many large companies chose to set up operations from the Seychelles, Fanny said, but there were “also a lot of small companies and at one time we were not capturing all of these.”

There’s a chance this was only the first pebble in an avalanche.

FSA has a leadership team of 15 covering subsections like fiduciary, insurance, capital markets and gambling (interestingly, there isn’t a section on the website for crypto exchanges). There are around 360 regulated entities listed on the FSA website.

Fanny added that if Seychelles authorities have “good reason,” firms can be struck off the FSA register. 

“As a jurisdiction, we want to attract the best businesses. If you don’t want to be properly regulated, move somewhere else,” he said.

Long time coming

The BitMEX enforcement action shouldn’t come as any surprise, said Gregory C. Lisa, a partner at the law firm Hogan Lovells in Washington, D.C.

“Seychelles is one of those jurisdictions that’s had a good share of law enforcement and regulatory scrutiny,” said Lisa. “There has been a growing concern about regulatory arbitrage, certainly with U.S. regulators.”

During a virtual event hosted by CoinDesk in October, Heath Tarbert, outgoing chairman of the Commodity Futures Trading Commission (CFTC), hinted that the next BitMEX was coming.

An investigation like the one into BitMEX is usually not a one-off, said Lisa, a former compliance and enforcement director at the Financial Crimes Enforcement Network (FinCEN). 

Law enforcement, regulators and prosecutors get familiar with the space, which takes time, he said. Investigators learn about money flows, often employing forensic analysis companies like CipherTrace, Chainalyis, Elliptic and others, and begin to see patterns emerging out of that jurisdiction.

“There’s a chance this was only the first pebble in an avalanche,” said Lisa. 

BitMEX

The BitMEX enforcement didn’t come out of the blue. The exchange had reportedly been under investigation by the CFTC since at least July 2019, and had responded by implementing mandatory KYC in April of this year. 

Since the charges were brought, BitMEX hired Malcolm Wright as chief compliance officer of 100x Group, the holding structure for the BitMEX platform. Wright is the current Chair of the Advisory Council and Co-Lead of the AML Working Group at Global Digital Finance, and former CCO at Diginex as well as Revolut. Regarding the tightening up of BitMEX’s KYC, the firm’s user verification program has been accelerated, said Wright.

“All users were required to verify by Nov. 5 in order to continue trading on our platform,” Wright told CoinDesk via email. “Until verified, no user could open a new position or increase an existing position. Whilst unverified, users could not receive or accrue affiliate payouts.”

From Dec. 4, any users that had not completed verification became unable to withdraw funds. Funds will be recoverable from user accounts and withdrawals will be processed normally after verification, Wright added. As a result of these concerted efforts, BitMEX was recently upgraded from yellow to green KYC score by CipherTrace.

Looking back, CipherTrace data shows how BitMEX’s fund flows have evolved over time and, as such, have skewed more towards opaque sources.

BitMEX fund flows from February 2009 to October 2020 [Note: BitMEX has now been upgraded to 'green' KYC by CipherTrace]
Source: CipherTrace

Going back a couple of years, money flowing into the exchange was coming from other exchanges including Poloniex and Binance, but a high proportion now flows in and out of private wallets held outside the reach of regulated exchanges.

“If you compare [previous years with] last year’s analysis, it was mostly private wallets,” said CipherTrace CEO Jevans. “So over time it has migrated from exchanges to people using private wallets to try and hide the provenance of their funds. This is one of the things they [BitMEX] were really pushing.”

Wright said the BitMEX platform screens for bitcoin provenance using a leading independent blockchain analytics provider, while suspicious transaction reports (STRs) are filed with the Seychelles FSA when there are doubts as to the legitimacy of any transfers.

“The use of private wallets across the crypto industry has become more prevalent for a variety of legitimate reasons,” Wright said, “not least as an extra line of defense against potential hacks.” 

BitMEX fund flows from October 2019 to October 2020 [Note: BitMEX has now been upgraded to 'green' KYC by CipherTrace]
Source: CipherTrace

The CipherTrace MO

After opening an account at an exchange, CipherTrace discovers the thresholds for how much money can be moved about without doing significant KYC.

To build up a picture of fund flows, CipherTrace circulates crypto around a network of what it considers to be high- and low-risk exchanges and also dark marketplaces. 

“We move money to dark markets, we pay into ransomware and engage in commerce of all types,” said John Jefferies, the firm’s lead financial analyst. “We’re able to create between 3 million and 4 million pieces of attribution data per week. Then we use a combination of machine learning and predictive analytics and clustering techniques to associate wallets with different entities, and follow the flow of funds around the internet.”

Jefferies said the CipherTrace KYC grading system is “a fairly dynamic state of affairs.” He acknowledged there is a temporal aspect to this. In other words, how long after an exchange has done an upgrade of its KYC does it take to turn from red to green? (This idea will be explored in greater detail in the second part of this investigation.) 

The green, yellow or red KYC scores given by CipherTrace are viewed in a “fairly binary” manner by regulators, Jefferies said. “It’s either good or demonstrably bad,” he said. “What we would call yellow and red, they would simply call bad.”

Peer-to-peer

In recent years a hotspot for blockchain analytics firms has been peer-to-peer exchanges, where funds are typically held in escrow ahead of a transaction between two counterparties. This approach naturally involves less in the way of centralized overbearance, and in some cases this has also meant little or no KYC. (It’s worth restating the fact that crypto was originally designed this way.)

At any rate, this situation is changing, at least when it comes to well-known players like LocalBitcoins and Paxful, which have been working to improve their KYC/AML procedures. 

Seychelles also has its fair share of P2P exchange activity and CipherTrace has highlighted some of this. Remitano, cited below, does a lot of business in places like Vietnam, Nigeria and Malaysia, and scores a green KYC rating, according to CipherTrace. However, analysis of the platform’s trading activity shows how funds are flowing to and from high-risk exchanges.

Remitano fund flows from October 2019 to October 2020
Source: CipherTrace

In Remitano’s case, some 5.99%, or approximately $34.5 million, of funds was received from high-risk exchanges, while 24.5%, or about $76.5 million, was sent to high-risk exchanges. Large exchanges that act as third-party custodians typically have more control over the funds that flow out than the funds that may flow in. (San Francisco-based Coinbase, for comparison, received 2.3% from high-risk sources in the past year, but only sent 0.29% out to high-risk destinations.)

“You can also see in the last year that [Remitano] is sending and receiving funds from some very high-risk exchanges,” said Jevans of CipherTrace. 

A Remitano representative told CoinDesk via email that the exchange was considering whether to move its base away from Seychelles.

“We are not sure if Seychelles would like to cut ties with [our] business due to the BitMEX situation or not, but we received a clarification information request about our business activities in the last couple of months,” said the Remitano representative. “We are still working closely with our service agency to make sure we are in good standing. We also are planning to move to a crypto-friendly country, but for now no decision has been made.”

In terms of handling incoming flows from the darknet, illicit sources and high-yield investment products, Remitano said it is partnering with TRM, the analytics provider backed by PayPal among others.

“Our product team is still working on the integration,” Remitano said. “We have already implemented many filters to secure our user funds and prevent the fund flow from bad sources. Our screening team may request some additional details before he/she is able to continue to trade on our platform.”

CoinDesk reached out to all the firms listed by CipherTrace, but only a few replies came back.  

Seychelles national flag
(EyesWideOpen/Getty Images)

Lo Chia Ching, head of marketing for AEX, which scored a red KYC from CipherTrace, said that in order to trade fiat a user has to share a photo ID, and that for transactions over 5,000 Chinese yuan ($765) the user is required to complete the KYC process in the form of a video.

“Users can trade tokens without full KYC, but must perform KYC before swapping for fiat. KYC involves a China ID card, for example, which can be photographed, or the user can make a video,” Lo Chia said via Telegram. “Users can’t use the [over-the-counter] function until KYC has been completed.” 

Mark Lamb, CEO of CoinFlex, which was graded by CipherTrace as having weak KYC, said his firm’s procedures meet the same measure as regulatory frameworks in Europe and many other places. 

“If transactions are above a certain level, more regulation is stacked on top,” Lamb said. “Do you think we just pulled this out of our asses?”