The crypto exchange industry may be far less compliant than it appears.

As revealed exclusively to CoinDesk, a global study of 216 exchanges by the reg-tech startup Coinfirm found 69 percent of these businesses do not have “complete and transparent” know-your-customer (KYC) procedures. The study also found that only 26 percent of exchanges had a “high” level of anti-money laundering (AML) procedures, such as ongoing transaction monitoring and in-house compliance staff with experience in AML.

While some people may see anonymous trading as a feature of the cryptocurrency market, it can also enable problematic business practices and criminal or terrorist activity. Coinfirm CEO Pawel Kuskowski told CoinDesk many such platforms require just a crypto wallet address to get started.

In the report, Coinfirm identified Binance as having a “high” regulatory risk based on “exposure to anonymous activity,” since deposits and withdrawals for values below 2 bitcoin (less than $8,000 as of press time) reportedly did not require KYC as of February 2019.

Overall, there were several exchanges – including Coinsquare, Coinbase, Gemini and the Circle-owned Poloniex – that Coinfirm’s Kuskowski identified as “low risk” due to official licenses and strict KYC/AML policies.

The broad spectrum of enforced compliance procedures wasn’t the most surprising part of this research for Kuskowski, however. It was the legal structure behind some platforms, including several of the industry’s most famous high-volume exchanges, which Kuskowski declined to name.

“It’s perceived as a UK entity, but it’s not really a UK entity,” he said as a hypothetical example. “In a lot of these situations, you would have the entity that is transmitting money, especially fiat, that was actually an entity between the contracting party and the sender.”

The finding follows another recent study by Bitwise Asset Management, which claimed that almost 95 percent of the widely reported bitcoin trading volume was actually an artifice, often involving automated bots or misreported statistics from unregulated exchanges.

“You don’t put any identifier like an email address. That’s how low it can be,” Kuskowski said of certain industry practices. “On the other hand, we have a video conference as part of the onboarding where someone is checking whether the documents you’re providing are in line with what you are holding in your hand.”

Issues with Binance

Throughout the research process, Coinfirm’s team also found that some exchanges failed to fully implement the official policies on their websites. For example, Binance users from restricted countries have allegedly been able to use the platform simply by using a virtual private network (VPN) to obfuscate their location.

A New York-based CoinDesk employee was able to do small crypto-to-crypto transactions without KYC or VPN using Binance, while purchasing bitcoin with a credit card did appear to require KYC.

This harkens back to 2018, when Attorney General Barbara Underwood said Binance, Kraken, and Gate.io claimed they do not service customers in New York and as such her colleagues were unable to determine whether these platforms allowed “manipulative or abusive trading,” not to mention the trading of unregistered securities.

Regardless of how the KYC policy is actually enforced, it’s clear that Binance is taking steps to beef up its compliance procedures. On Tuesday, Binance announced a partnership with analytics firm IdentityMind to “improve existing data protection and compliance measures for Binance’s global operations.”

Binance’s Chief Compliance Officer, Samuel Lim, denied this assertion that users can deposit and withdraw thousands of dollars worth of crypto without any KYC, although he failed to specify what Binance’s KYC requirements are.

Instead, Lim told CoinDesk:

“Where the industry currently stands, it is an ambitious, yet ongoing effort, to implement a unique KYC requirement to service all of our users and businesses. However, in every single jurisdiction that it operates in, Binance adheres to all local rules and regulations and has built trust among the public through its developments, services and values since its inception. For all of our regulated/licensed businesses, the standard followed is the model which is approved by the regulating body, including Jersey, Uganda, Malta and Singapore.”

Opaque jurisdictions

Still, Kuskowshi admits this jurisdictional maneuvering can make conclusions difficult.

Kuskowski said that many exchanges have separate legal entities that handle deposits, money transmission or payment processing in a distant jurisdiction where the regulations are lax or generally unclear.

“The parent [company] is operating the exchange but the money is transmitted through this entity,” he said, adding:

“If, for example, you lose your money and think it is a U.K. company and that you can have recourse for this money, if this entity is some dodgy jurisdiction and you don’t know who is the owner, it’s very difficult to have recourse.”

This type of structure may have prolonged the lawsuit against Bitcoin Market, filed in November 2018, because it is unclear whether Oklahoma, where the exchange owners reside, is the correct jurisdiction for this case.

On the other hand, Kuskowski said the diversified legal structure could be “legitimate,” even if it leaves a bad taste in his mouth not to disclose such legal structures to users. Coinfirm’s report actually had a silver lining. In 2019, more companies appear to offer clear disclosures and traditional KYC/AML policies than researchers originally found in February 2018.

“Financial institutions are looking for legitimate partners,” Kuskowski said. “We’ve seen a trend of more exchanges implementing these procedures in order to partner with these entities.”

Coinfirm Exchange Report Coindesk by CoinDesk on Scribd

Computer image via Shutterstock