3 Common Compliance and Regulatory Pitfalls to Watch for in 2020


Regulations are not going anywhere. On the contrary, financial service providers face more regulatory challenges and higher costs than ever before. During the early days of cryptocurrencies, a “Wild West” culture emerged when regulators, uncertain on how to tackle this thing called blockchain, paid little attention to the thefts, scams and hacks plaguing the virtual-asset market.

Today, this is no longer the case. No matter their roots, every virtual asset project from Telegram to Shapeshift to Libra is ramping up compliance while regulators continue to issue guidance, enforce regulations and pay closer attention to digital securities platforms, crypto exchanges and other virtual-asset service providers, or VASPs, catering to the residents of their respective jurisdictions. Despite this, many organizations in the blockchain space still face a painful combination of misinformation, opaque legislation and willful ignorance when it comes to fulfilling their obligations in each of the markets they serve.

As the demand for digital tech continues to increase, regulatory compliance has become a competitive advantage and key differentiator for successful fintech and digital-asset platforms. In contrast to the Wild West days in the sector, “compliance” is now the new buzzword when promoting fintech services, with headlines like “the compliant _______ platform” plastered across the websites of digital securities, security tokens, ICOs, FX, OTC, brokers and exchanges.

Unfortunately, calling something compliant does not make it so. The very definition of compliance is not only a moving target, it also includes gray areas such as a “risk-based approach,” which can change massively depending on the nature of one’s business activities and client base. Without defined industry standards for guidelines such as Know Your Customer or Anti-Money Laundering, it is easy to see why VASPs — even those with the size and budgets of Coinbase, Binance or Libra — struggle to maintain a compliant business.

To stay ahead, VASPs must have a clear understanding of their regulatory obligations and how this impacts their business viability in any given market. Avoiding the three most common pitfalls of compliance can shorten a company’s time to market, create barriers to entry for competition, and protect its reputation.

Pitfall 1: KYC means verifying users’ identity during onboarding

This is the biggest misconception that plagues most digital securities platforms, exchanges and other virtual asset service providers in the market today. Knowing your customer is not a one-time thing — you are obligated to keep up-to-date, auditable records for each client for the entire time you serve them.

In many jurisdictions, your record-keeping obligations can extend for years after the client ceases to do business with you. In order to build a robust and scalable business, it is important to account and design for KYC refreshes, ongoing AML screening, transaction monitoring and user re-authentication for the entire client lifecycle.

Pitfall 2: Changes to compliance requirements depend on where you are based

Most virtual-asset businesses are subject to a wide range of regulations — data privacy, personal information protection, KYC, AML, securities and derivatives, payments and digital identity. Some regulations, such as the GDPR, apply across European Union members and harmonized jurisdictions. Others, such as payments services, are quite nuanced with complicated, state-by-state regulations for money services and transmitters as well as reporting requirements. In Singapore, payment token businesses have had to close up shop or leave the country as they wait for the ability to legally do business. 

It is important to understand the regulatory obligations in every market where you serve even a single user. For example, holding a license in Estonia or Lithuania may not provide the ability to offer that same service in Germany, the United Kingdom or Canada. While a business can take advantage of “passporting,” using a single financial services license across multiple jurisdictions, it is important to understand where and whether other regulatory variations exist, including how data is collected, processed, maintained and reported.

Pitfall 3: Build it once and we are good to go

While this is theoretically possible in very small markets, in practice, a business’ activities are most likely subject to multiple regulators in each market it serves. New regulations are being rolled out every week, potentially impacting how you process or maintain your users’ personal information, verify their legal identities, screen for risk, perform customer due diligence, or document successful compliance operations.

In order to stay ahead of these challenges, management teams must look at their business through multiple lenses such as that of AML, a VASP or securities law — and that is only within the scope of financial regulation. New trends in one market can quickly become the standard in others. Use of a specific method in one market may become outlawed in others. Innovative firms can often find new opportunities to use regulation for their benefit by closely monitoring the shifting landscape.

Key regulatory shifts in 2020

While not a definitive list, here are some of the key regulatory shifts to watch closely in 2020:

Virtual asset service providers

  • Last year, the FATF published new guidance that included definitions of both virtual assets and virtual asset service providers. Around the world, financial intelligence units such as FinCEN in the United States post local updates of their interpretation of FATF definitions.

    Firms will be required to implement and maintain an AML program, even if they are “crypto only” service providers that avoid fiat transactions. These changes will take effect in the majority of FATF member countries over the next twelve months. Most notably, today marks the June 2020 deadline in the United States.

  • The so-called travel rule, also from FATF, has created significant buzz and misinformation throughout the industry. Most importantly, peer-to-peer or wallet-to-wallet transactions are not included — only transactions where funds are transferred on behalf of the end user by a VASP, with various interpretations setting local thresholds such as $1,000 in the U.S.

    Similar to the evolution of SWIFT for bank-to-bank transactions, or the FIX protocol for trades between exchanges, compliance with the travel rule is requiring the industry to collaborate on technology, standards and interoperability. A global standard for VASPs will enable new models of open-source, decentralized finance that is compliant by design.

Digital securities

  • Communications: How a VASP markets its products and services or how an issuer markets its token is subject to myriad regulatory requirements. Promising financial returns, spamming potential users or investors, as well as how and where KYC data is stored and processed are all subject to regulation for data protection, consent and disclosure.
  • The U.S.: The example of the recent shutdown of Telegram’s TON clearly demonstrates that, in digital securities, compliance by design not only saves considerable time, money and prevents fines or being added to watchlists — it can also be the main factor keeping a project alive.

Secondary markets

  • In the U.S., Open Finance Network is closing operations largely due to lack of a market. Meanwhile, Nasdaq and Carta are seeking to leverage their massive user bases and established brands to create their own private markets. These trends are repeated in Canada, Europe and Asia — a global race to cracking the holy grail of finance: compliant and automated with multi-jurisdictional liquidity.
  • Globally, new regulations for strong client authentication and transaction monitoring require financial service providers to manage a web of complex tools. Digital onboarding is not KYC, the most common reason we see early-stage fintech firms failing a compliance review is because they do not understand the full scope of what it means to know your customer on a consistent basis. By integrating or consolidating systems for cyber security, anti-fraud, onboarding, KYC, AML, etc., these businesses not only make compliance easier — they are architecting scalability into their business. For private capital markets, the platforms that move beyond the false dichotomy of privacy vs. security and strike a balance between risk management and respecting their user’s privacy, data and assets will own the market.

The views, thoughts and opinions expressed here are the author’s alone and do not necessarily reflect or represent the views and opinions of Cointelegraph.

Matthew Unger is founder and CEO of iComply, a global regtech for turn-key digital onboarding, SCA, KYC, AML and data governance compliance. After founding a $42 million wealth management practice, Matthew exited by age 26 and co-founded a wealthtech platform that was later acquired by Planswell in 2015. Matthew has studied blockchain, AI and business strategy at MIT.