The NYDFS rejected Seattle-based cryptocurrency exchange Bittrex’s BitLicense application, and the resulting rejection letter serves as a blueprint for anyone looking to do crypto business in the Empire State.
For securities lawyer Jason Seibert, who has served on several landmark crypto cases, the crux of Bittrex’s rejection letter is on Page 4 in Paragraph D. He says it offers the 10,000-foot view of what it takes to operate a crypto exchange.
“…Bittrex has failed to demonstrate responsibility, financial and business experience, or the character and fitness to warrant the belief that its business will be conducted honestly, fairly, equitably and carefully,” reads the NYDFS rejection letter of Bittrex, which requested that the exchange provide within two weeks of the rejection written confirmation that it had stopped operating in New York State and doing business with its residents.
What’s clear is that anyone looking to operate as an exchange in New York State must abide by the Five Pillars of KYC and AML:
- internal controls;
- the designation of a Bank Secrecy Act (BSA)/AML officer;
- a BSA/AML training program;
- independent testing to test programs;
- and a risk-based, customer due-diligence procedure
“For instance, you have to be able to know if there’s somebody that’s on a sanctions list or an OFAC list,” explains Mr. Seibert, referencing the Office of Foreign Assets Control. “So, it becomes an issue if an exchange doesn’t even know who their customers are due to the ability for users to create a false name or an alias account.”
Seibert points out that no one is going to win points with the regulator when they allow Elvis Presley to trade, as was the case with Bittrex.
“An exchange must see some form of ID, some sort of registration, some sort of link between an actual person and an account,” explains Seibert. “You can run an actual ID against a database like OFAC to make sure that it isn’t a sanctioned Russian who’s not supposed to be doing business in the United States or someone laundering money through a cryptocurrency exchange because they’ve created a false account. That’s the issue with these anonymous accounts. When you’re looking to be a government regulated entity, you have to follow all the rules. You can’t allow anonymity anymore.”
But, anonymity is the lifeblood of cryptocurrency. And that goal to be able to do things anonymously, to have your money, spend your money, trade your money, and do anything you want without the government knowing, doesn’t fly with regulators.
“The goal for a lot of people in this space is to be able to do things anonymously,” says Seibert. “So, when certain people started finding out that you were going to have to have a verified account with your real name like Poloniex did, a lot of people close their accounts. They go someplace where they can be anonymous.” A lot of exchanges, in addition, were not designed to have AML and KYC control.
“They didn’t know the policy, didn’t do the training, and quite frankly, I don’t think they really wanted to do that because it was contrary to whatever their internal beliefs were,” said Seibert. “In their minds, they’re not there to be the world’s police, and to prevent illegal transactions, money laundering and sanctioned money from traveling internationally. An exchange cannot list tokens without the required due diligence to know if they were security or not, what was being offered, and who was offering them.”
Seibert evokes the Petro cryptocurrency from Venezuela, for instance. “Absolutely sanctioned,” he says. “Nobody in the United States is allowed to buy it or should be allowed to buy it because it’s viewed as getting around sanctions on human rights violations. You’re not supposed to buy Venezuelan oil.”
So, for any exchange, listing the Petro token would be a violation. Same goes for an unknown token with unknown issuers and uses.
“You could start avoiding sanctions by having this anonymous token created that certain parties may be trading back and forth in order to launder money,” explains Seibert.
What’s more, all employees at an exchange must be trained on AML and KYC policies and procedures. In the case of Bittrex, NYDFS said people were not trained and policies and procedures were inadequate. Bittrex said their framework had been approved by outside counsel, but it’s unclear who the outside counsel was and if their compliance framework ran the prescribed way.
“You can have a fully approved and creative plan and you put it on your desk, but then not execute it,” says Seibert. “If they did have an approved framework by competent outside counsel, then how is it that DFS found that their compliance was insufficient?”
Inspiring confidence in regulators about your ability to serve the public in a regulated manner, moreover, is crucial when it comes to getting a license to operate.
“It’s important to demonstrate responsibility, financial and business experience where the character and fitness to warrant the belief that business will be conducted honestly, fairly and equitably,” said Seibert. “Your internal policies need to ensure you’re not going to be laundering money or allowing money from foreign suspected terrorists, countries or organizations that are on the sanctions list. You don’t want to do any business with those people. There’s a duty to basically say who’s behind this? What are they doing? Who’s selling the token?”
In opinion letters that Seibert has written for projects looking to be listed on exchanges, he details the complete background on the company, including who the players are, whether they’re on a sanctions list or not, and more.
Seibert also highlights the importance of a competent compliance officer and the risks of not having one.
“Perhaps, you have a compliance officer, but they didn’t do anything,” he says. “Perhaps there is a lack of training. Every person in the staff who is at minimum operating and working with a transmission of money needs to know what the policies are and what the rules are for filing suspicious activity reports. Every employee, including the CEO, needs to have extensive AML, KYC and BSA training, and everyone needs to be empowered to raise a red flag and file a SAR. Everyone.”
It’s just the nature of the business, he notes. “Employees must be trained and empowered to file this stuff,” says Seibert. “There needs to be an AML, KYC folder on your desk. That’s your training folder. And it’s got all the requirements and statutes in it. You need to have absolute compliance with the law to demonstrate that you’re a reliable and trustworthy person who knows how to run a business. In the case of Bittrex, NYDFS is not saying they didn’t have a program, it’s just saying that it was completely deficient.”
Not only must an exchange have an AML and KYC policy in place, but that policy must also be audited by an independent party. When Bittrex was rejected by the NYDFS, it was demonstrated in the rejection letter that, while Bittrex claimed to have done this, they failed to inform NYDFS who the independent auditor was.
“An exchange’s AML and KYC policy has to be audited and examined by an independent third party,” says Seibert. “In the case of Bittrex, they say they’ve retained an external firm. The department is saying that it would have loved to have seen the engagement letter of who Bittrex’s auditor was.”
He uses the SEC denial of the Bitcoin ETF as an example for entrepreneurs to look at and learn from.
“If I wanted to operate an exchange in New York, then I would be paying attention to what the SEC is saying about exchanges,” said Seibert. “I’m paying attention to what has happened to other exchanges and I want to be the gold star. The Gemini exchange has shown a way forward when it comes to compliance. Running a regulated exchange is not that hard. It’s not like have to create a framework from whole cloth. There are examples already, you just have to execute that.”
He adds: “The SEC declined the Bitcoin ETF because the regulator felt that the bitcoin ecosystem, including its exchanges, were not well-regulated, supervised or had sufficient controls with the ability for regulatory oversight of those exchanges to be able to say that the activity inside of them wasn’t fraudulent.”