How newer regtech could be used to help audit cryptocurrency organizations

[Note: I neither own nor have any trading position on any cryptocurrency.  The views expressed below are solely my own and do not necessarily represent the views of my employer or any organization I advise.]

About two years ago I gave a speech discussing the challenges cryptocurrency-related companies have had in creating reliable internal financial controls.  How over the span of a few short years the cryptocurrency startup landscape (un)intentionally reinvented the same type of intermediaries, custodians, and depository-like structures that the original creator(s) of Bitcoin wanted to route around but… setup without the oversight, assurances, and accountability you would find required in the traditional brick-and-mortar world.

The lack of financial controls and subsequent pitfalls is easily identifiable in the irrational exuberance of the get-rich-quick “initial coin offering” (ICO) world.  I’ll save my ICO post for later, but there is one story that is a bit more concrete and easier to understand and involves a company called Bitfinex.

Bitfinex, as measured in terms liquidity and volume, is considered the top global cryptocurrency exchange.  It is nominally headquartered in Hong Kong, has (had) bank accounts in Taiwan, servers in Europe (Italy?), operations in San Francisco and a staff around 30 altogether.

Source: RobotFinance

Above is a speculative corporate structure created back in September 2016 by an internet user by the name of RobotFinance.  He created it “based on the last annual return of Renrenbee Limited and statements made in the pitch forum.”  Unless you are registered as a user with BnkToTheFuture, you cannot view the pitch deck but an alleged copy of the Bitfinex deck can be found here and a discussion of it here.1  These leaked allegedly legitimate documents also suggest that Bitfinex did an equity swap at a $200 million valuation which was based on their financial growth and targets before they lost roughly $65 million in customer assets due to a hack that will be described below.

This post is not intended to single out Bitfinex as there are any number of other exchanges and wallet providers that could be looked at as well.  Nor is it intended to dive into all of the subsidiaries or even the entire history of the parent company or the cryptocurrency platform.  Rather it serves an illustration as to how new technology and financial controls could help increase visibility and transparency for all stakeholders involved thereby reducing the risks for users and retail investors (among others).

Quick history

Last November I published an internal paper that may be released later this year which explored the proposed Winkleovss COIN ETF.  In it, I highlighted a detailed history of various cryptocurrency exchange platforms and their colorful pasts, some more sordid than others.

Rather than rehash all of those stories, below are a few details specifically related to Bitfinex:

  • In May 2015 Bitfinex was hacked and lost around 1,400 bitcoins (then worth around $350,000).  In August 2016, Bitfinex was hacked again and lost roughly 120,000 bitcoins (at the time worth around $65 million).2  In the first hack, Bitfinex basically ate the losses themselves.3
  • Following the second hack, Bitfinex announced a way to compensate its customers.  Why did it need to compensate the customers?  Because, following the second hack, it socialized the losses, seizing the remaining customer assets and gave nearly all of them a 36% haircut.4 In exchange for giving everyone a haircut, Bitfinex then self-issued two different “tokens” called BFX and then later RRT. These two tokens (or IOUs) effectively enabled Bitfinex to monetize their debt/losses.
  • According to their announcements, over 20 million BFX tokens were issued and exchanged for iFinex shares and then distributed to all affected users.  As a result, Bitfinex basically conducted, from the perspective of a user, a non-voluntary ICO where participation was mandatory, as the BFX token was directly linked to equity of the parent company and users/customers could (later) trade BFX on the Bitfinex exchange.5 In addition, according to a post last summer from their head of communications, “two out of the top ten BFX token-holders are in our management team.”  It is never revealed who these parties are or how they were made whole (or not).  Furthemore, “certain verified, non-U.S. Bitfinex users to convert tokens to equity through a new BFX Trust.”  They set up a dedicated BFX Trust site but did not include the verification requirements for non-accredited BFX holders.  Nor is there public information about who all of the Principals are and the holdings they have.6
  • RRT, the acronym for Recovery Rights Tokens, are opt-in coins issued, “to compensate victims of the security breach and, thereafter, to offer a priority to early BFX token conversions.”  It is unclear how many of these coins were issued or how many were redeemed.
  • To this day, the Bitfinex still has not disclosed exactly how they got hacked and last year even published an open letter to try and negotiate with the hacker; asking to return the funds as part of an ex post facto “bug bounty.”  It is believed that the hacker bypassed the transaction limits set in place by the BitGo multi-sig wallet but that is a story for another post.7
  • Prior to this hack, on June 2, 2016, the Commodity Futures Trading Commission announced that it had fined and settled with Bitfinex for offering regulated products without having properly registered to do so.  This is important because several vocal Bitcoin proponents have distorted the actual historical events.  According to the communications director of Bitfinex last year, “Bitfinex migrated to the BitGo setup before any discussion or anything with the CFTC happened.”8  In other words, this hack was not caused by the CFTC.
  • On April 3, 2017 Bitfinex announced that it was completing the redemption of all BFX tokens and they would all be subsequently destroyed.

How did Bitfinex manage to pay off tens of millions of dollars of self-issued debt in a span of less than 8 months?

Three explanations given by Bitfinex include:

  • Because Bitfinex is a popular trading venue and lists a number of other cryptocurrencies including Ether (both ETH and ETC), it generated enough cash-flow in the form of transaction fees to carve off some of the losses.9
  • Outside investors, through BnkToTheFuture, exchanged fresh capital in exchange for BFX tokens and equity.
  • Bitfinex had a reduction in their contingent liability reserves.10

Another more recent speculative theory explores the connection between BFX redemptions and a cryptocurrency called “Tether.”

Source: Bitfinexed

What is Tether?

Its exact relationship status is complicated. Depending on who you talk to that is affiliated or was affiliated with Bitfinex, Tether Limited is a partially, or fully, or not-at-all owned subsidiary of Bitfinex.  Tether was announced in July 2014 and was originally called “Realcoin.”11

And one of the continual challenges in trying to follow this saga is that Bitfinex representatives, co-founders, and investors often post key comments in disparate social media channels across reddit, Twitter, Youtube, WeChat, TeamSpeak, Telegram, and others.  For instance, there are several different reddit threads discussing the Tether terms of service involving a co-founder and another one with the general counsel, but this material is not centralized in a way for users to easily follow it all.

Source: FinCEN MSB Registrant Search

Tether Limited is also a regulated money service business and has applied to operate in nearly every US state and territory (see above).

What are tethers?

According to the official terms of service:

Based on the information above, tethers are not money or currency and may not necessarily be redeemable for money.

In practice a “tether” is intended to be a type of “stablecoin.”

What is a stablecoin you ask?

Because cryptocurrencies lack any native ability to rebalance or readjust themselves relative to a pricing index, their continual volatility (as measured by purchasing power) causes headaches and risks to users, including those moving money across borders.  That is to say, in the time span it may take to satisfactorily confirm 1 bitcoin being transferred from your wallet to a merchant overseas, the market price may have moved a percent or two or three.12

What if there was some way to lock-in a set price and not be exposed to these constant swings in price?  Some merchant processors like BitPay and cryptocurrency OTC trading desks do quote and lock-in prices over a period of minutes, but these are not usually targeting the cross-border payment and remittance market.13

Another proposed solution, albeit one that involves similar counterparty risk, is a stablecoin which is a pegged value guaranteed or at least marketed as being pegged on par to a specific exchange rate.  The risk in this case is that the exchange operator might not fulfill his or her end of the deal (e.g., abscond with the funds).

There have been several theoretical approaches to creating a native stablecoin and a few efforts to actually implement them in the wild. Last year JP Koning chronicled the fate of one of them called NuBits.  On reflection: at some point they all fail, their peg ends up failing for one reason or another.14

And tether is no exception.

Tether is not so tethered

Originally 1 unit of tether was supposed to be equivalent to $1 USD.  At the time of this writing it has fallen to $0.93.

Why?

While Bitfinex has made a few public statements about “pausing” wire transfers, there has been no major public statement explaining the precise nature of the drop in tether price.  So a small army of internet users have pieced together a probable theory and it comes back to how Bitfinex operates.

Earlier this month, a lawsuit revealed that Bitfinex had sued WellsFargo – who had refused to process their wires and returned the USD-denominated funds – a bank that is integral to its correspondent banking relationships.  About a week later Bitfinex withdrew its lawsuit but not before people poured through the documents.

In summary we learned that Tether (which is named in the court documents) is a mechanism for enabling cross-border money flows; although we cannot say what the exact purpose was for these money flows is (e.g., pay for college tuition? buying a home? paying for a large order of buttery popcorn?).

Over a span of a few months, tens of millions of USD had been wired through WellsFargo into and out of four different banks in Taiwan which Bitfinex, Tether Limited, and other affiliated subsidiaries had commercial bank accounts with.  At some point this past March or perhaps earlier, someone on the compliance side of WellsFargo noticed this large flow of USD and for one reason or other (e.g., fell within the guidelines of a “suspicious activity report“?), placed a hold on the funds.

In early April Bitfinex’s parent company, as noted above, filed a lawsuit for WellsFargo to release these funds.  But about a week later retracted its suit.

According to a recent post from Mark Karpeles, the CEO who helmed Mt. Gox prior to its infamous bankruptcy, these actions set in motion a type of Streisand Effect: the lawsuit became newsworthy on mainstream media sites and consequently other banks — and compliance personnel at other banks — learned about the cryptocurrency exchange called Bitfinex and might (have) become wary of doing business with them.

We can only speculate as to all of what happened next, but we do know for certain that the bank accounts Bitfinex and Tether used in Taiwan were either fully terminated and/or unable to withdraw USD from late March until at least the time of this writing.

This is not the first time Bitfinex has been “debanked” before.  Phil Potter, the CFO of Bitfinex, recently gave an interview and explained that whenever they have lost accounts in the past, they would do a number of things to get re-banked.

In his words: “We’ve had banking hiccups in the past, we’ve just always been able to route around it or deal with it, open up new accounts, or what have you… shift to a new corporate entity, lots of cat and mouse tricks that everyone in Bitcoin industry has to avail themselves of.”

But this story isn’t about debanking cryptocurrency companies, a topic which could include the likes of Coinbase (which has been debanked multiple times as well).

Because there is currently no USD exit for Bitfinex users, a price discrepancy has noticeably grown between it and its peers.  The spread between exchanges is typically a good indication of how difficult it is to move into and out of fiat in a country as there are boutique firms that spend all day and night trying to arbitrage that difference.

In the case of Bitfinex, the BTC/USD pair now trades at about $50 to $75 higher than other exchanges such as Bitstamp.  This ties back into the challenges Mt. Gox users had in early 2014, as the ability to withdraw into fiat disappeared, the market price of bitcoins on Mt. Gox traded at a dramatically different level than other cryptocurrency exchanges.

That is not to say that what is happening at Bitfinex is the same thing that happened at Mt. Gox.15  However, there have not been many publicly released audits of most major exchanges in the wake of Mt. Gox’s bankruptcy three years ago.16  Noteably, BTC-e publicly stated it would begin publicly publishing accounting statements certified by external auditors.  It and its peers have not.

More questions than answers

About nine months has passed since the largest (as measured by USD) single successful attack took place on a cryptocurrency platform.17 Yet there are still many lingering questions.

For instance, on August 17, 2016, Bitfinex announced that they had hired Ledger Labs who, “is undertaking an analysis of our systems to determine exactly how the security breach occurred and to make our system’s design better going forward.”

According to one post, Michael Perklin was the Head of Security and Investigative Services at Ledger Labs and part of the team leading this investigation.  However in January 2017 a press release announced that Perklin was joining ShapeShift as the Chief Information Security Officer; his profile no longer exists at Ledger Labs. 18

Thus the question, what happened to the promise of a public audit?

Other questions that remain: as noted above, two of the ten biggest initial debt token (BFX) holders were employees.

Why did Bitfinex redeem the BFX tokens after they knew USD withdrawals were shut down?19  How many insiders such as investors and employees owned that last batch of redemptions?  What was the benefit of redeeming that last batch when they knew they were losing international wire capabilities?

It appears after the hack that Bitfinex shifted assets from the Bitinex side of the books to the customer side. Who owned the bulk of both tokens, and what protection are these virtual assets given by not being on the company books?  Or are they still on the books?

In terms of them redeeming after the withdrawals were ended, the original lawsuit documents lay out that as of March 31st, Bitfinex were actively emailing WellsFargo about the shutdown. The final BFX redemption was done a couple of days later and the lawsuit was filed shortly afterwards. It was roughly week later that Bitfinex informed the public about this international wire issue.  And Tether did not formally announce the issues until a few days ago.

Perhaps it is just miscommunication and only a matter of time before these questions are answered.

Going forward

Nearly two months ago, the SEC rejected a rule change for the COIN ETF to be listed on the BATS exchange.  Last week, the SEC said it would review that ruling.

Among other comments, the original 38 page ruling (pdf) gave a number of reasons why the Gemini-listed Winklevoss COIN ETF was being rejected. In the Commission’s words:

First, the exchange must have surveillance-sharing agreements with significant markets for trading the underlying commodity or derivatives on that commodity. And second, those markets must be regulated.

Later the Commission also writes that:

The Commission, however, does not believe that the record supports a finding that the Gemini Exchange is a “regulated market” comparable to a national securities exchange or to the futures exchanges that are associated with the underlying assets of the commodity – trust ETPs approved to date.

While the Gemini exchange is regulated in New York through a Trust charter, the vast majority of cryptocurrency exchanges and trading venues whose funds flow into and out of Gemini, are not.20

It is unclear what will happen to Tether holders, if they will ever be made whole.  Or what will happen to Bitfinex and future bank accounts.  Or if the COIN ETF and other similar cryptocurrency-denominated ETF’s will be green-lit by securities regulators.  Maybe these are all bumps in the road.

What we are a little more certain about:

(1) The Bitfinex hackers are still at large and no public post-mortem has been done to explain how it happened and what will be done to prevent future attacks.

(2) The unilateral self-issuance of the BFX “cryptoequity” was not done in a fully transparent manner as some customers had bigger haircuts than others nor is it clear if the extinguishing of these BFX coins was done through the use of tethers.

(3) That the tether “stablecoin” is not inherently stable and depends on fiat liquidity via the international correspondent banking network which raises the question of how to stabilize tether in the event that Tether Limited loses its bank accounts again.21

(4) That marketplaces such as Bitfinex — despite a general lack of transparency (where is the “About” page with executive bios?) — are still used as part of the weighting mechanisms in ETFs, including at one stage the Winkdex (which has since been deprecated) as well as the current Tradeblock XBX index used in a couple other proposed ETFs.

Solutions

As mentioned at the beginning of the post, the current trend over the past four years is that as Bitcoin intermediaries continue to operate as intermediaries and trusted third parties they increase their chances of regulatory scrutiny and oversight.

This empirical fact versus the original theoretical cypherpunk vision is arguably a type of cognitive dissonance.  As Section 1 of the Nakamoto whitepaper explained:

Commerce on the Internet has come to rely almost exclusively on financial institutions serving as trusted third parties to process electronic payments. While the system works well enough for most transactions, it still suffers from the inherent weaknesses of the trust based model. Completely non-reversible transactions are not really possible, since financial institutions cannot avoid mediating disputes. The cost of mediation increases transaction costs, limiting the minimum practical transaction size and cutting off the possibility for small casual transactions, and there is a broader cost in the loss of ability to make non-reversible payments for non-reversible services.

The Bitfinex hack that occurred in August 2016 created measurable amounts of new transactions costs that ended up being mediated through a wide array of social media channels; non-reversibility does not appear to have helped reduce these costs.  For all of the “backed-by-maths” and “epistemological” talk about routing around trusted third parties, Bitfinex and its peers, still play a key role in providing continuous fiat <–> cryptocurrency liquidity to the marketplace.  And as illustrated with the lawsuit above, by in large, these exchange platforms heavily depend on banking access moreso now than at any other time before.

Last summer I proposed a Kimberley Process for Cryptocurrencies: in which market participants met with various regulatory stakeholders to iron out how to stop predators, remove encumbrances, and create best-practices for financial controls in this nascent space.

As more cryptocurrency platforms attempt to comply with a variety of regulations including the surveillance collection and sharing requirements (e.g., KYC and AML), this will likely increase the demand for the tools found in the growing field of “regtech.”

For example, if Alice can cryptographically prove the chain-of-custody from her customer to her customers customer, then she may be able to comply with the banks surveillance requirements and maintain her bank accounts — and international wiring access — as she grows her remittance platform.

There is a set of technology under development and in early pilots that enables  authentication, provenance tracking, and document management and much of it involves digital signatures, standardized/mutualized KYC processes, and permissioned distributed ledgers.  Documentation management, in this case, goes beyond just hashing and timestamping documents to include automatically updating legal agreements and contracts over their entire lifecycle.

Some of it also involves sophisticated data analytic tools created by startups such as Blockseer and Chainalysis.  Universities such as UCL are automating regulatory processes.  And on the enterprise side, there are companies that have built a shared KYC registry and other identity-related tools for highly regulated financial institutions to comply with a battery of reporting requirements.22

Whether these will be adopted by the cryptocurrency community is another matter, but these tools will soon exist in full production mode and could help provide better visibility, auditability, and transparency for investors, users, entrepreneurs, law enforcement, compliance teams, and regulators around the world.

If you’re interested in learning more about these mechanisms, feel free to reach out or leave a comment below.

Endnotes

  1. During an interview on April 3, 2017, Phil Potter mentioned that Bitfinex has 25 shareholders and BnkToTheFuture SPV.  The same interview someone says that there are 450 shareholders of their equity but it is unclear if that is through the BFX token. []
  2. Approximately 1,061 of these coins were moved in March 2017. []
  3. Bitfinex, like all other cryptocurrency exchanges, has experienced significant price crashes in 2014, 2015, and again in 2016 — often as the consequence of a hack. []
  4. There were exceptions. Some users reported smaller haircuts as they were customers of SynapsePay.  Another user claims to have retained a lawyer and he did not have any haircut.  In an interview on April 3, 2017, Phil Potter mentions that they had received some “demand” letters from customers but Bitfinex was able to “quell” those.  See also: You’ve Been ButtFinessed from BitMEX []
  5. BFX was not initially tradeable. []
  6. One staff member is publicly listed, Alistair Milne, but no information is given as to how much BFX, RRT, and company equity he or other staff of BFX Trust may own. []
  7. You’ve Been ButtFinessed from BitMEX []
  8. Group correspondence, August 3, 2016 []
  9. In an interview on April 3, 2017 Phil Potter mentions that the past month they generated $3.5 million (net) from trading volumes and that there are 175 million shares outstanding. []
  10. In an interview on April 3, 2017, Phil Potter mentions that they used the “vast majority” of these reserves. []
  11. The CTO of Realcoin, Craig Sellers, is also the current CTO of Bitfinex.  Sellers is currently a team member of the Omni Foundation.  The general counsel of Tether and Bitfinex are the same individual, Stuart Hoegner.  Brock Pierce is the co-founder of Realcoin. The underlying technology for Realcoin/Tether is Mastercoin, a platform managed by the Mastercoin Foundation (now called the Omni Foundation).  Pierce was one of the founding members of the Mastercoin Foundation before resigning in July 2014. []
  12. Depending on the transaction fee sent to a mining pool, the suggested “safe” confirmation intervals are 3-6 blocks which on average takes 30-60 minutes to build on and propagate across the network. []
  13. There are some remittance companies that utilize Bitcoin as a payment rail; they often try to lock-in a specific value amount during a time-boxed time period but it varies depending on local conditions and business models. []
  14. BitUSD is the sole survivor right now, although it has relatively very little volume. []
  15. The missing Mt. Gox bitcoins from WizSec []
  16. During an April 3, 2017 interview Phil Potter mentions that in order to get an auditor to look at their books, it would be easier to do if they first got rid of the BFX token. []
  17. The DAO was a DAO, not an exchange. []
  18. There are several other interconnected relationships: according to a prior funding announcement, Bitfinex is an investor in ShapeShift.  Similarly, at least one principal in Bitcoin Capital, which has invested in ShapeShift, is also an executive at BnkToTheFuture, which led the recapitalization of Bitfinex following its August 2016 hack. []
  19. During an interview on April 12, 2017, Phil Potter mentioned that when trying to acquire a new banking partnership, the BFX debt tokens were a problem for them, so Bitfinex redeemed them. []
  20. A few others have obtained a BitLicense, but on the whole, most cryptocurrency exchange platforms do not attempt to comply with the strict requirements found in either the BitLicense or Trust charter in New York, let alone at a national level. []
  21. Based on the current terms of of service, according to the Tether Limited general counsel, tethers may not be readable for a variety of reasons. []
  22. This is not to say these new tools are a panacea or silver bullet for detecting all types of money laundering or preventing fraud or stopping identity fraud.  A standardized KYC framework and digital signature-based toolset can help mitigate some of these issues. []

2 thoughts on “How newer regtech could be used to help audit cryptocurrency organizations

  1. Tim
    You have written the article we wanted to write on Bitfinex. This is the first detailed, long look at the situation by a name in the industry. You checked it all and gave it a real thorough scrubbing and brought the shadows into the light. You even tied it back to the SEC’s complaints about the Bitcoin ETF, like we did in our expose of Barry Silbert and Bitcoin’s Malfeasance Culture.

    https://medium.com/@charlescmackay/barry-silbert-and-the-cost-of-bitcoins-malfeasance-culture-f83d15ad07d1

    Since we wrote that article Barry Silbert launched an investment Trust to sell his bags to others. The work continues. Until these dodgy actors are shunned out of the space and out of business, until this stops, we will all suffer for it.

    From our whole heart, thanks mate. You’ve made tonight a bit brighter for us. ~CCM

  2. I am not sure I see the clear logical need for a separate “Kimberly Process” for crypto-currencies. Is regular regulation = audit not sufficient? Are you implying that Gemini and other regulated US based exchanges are susceptible to the same type of mis-management as BitFinex?

    From what I read, it appears the issue is that people preferred to trade with an unregulated foreign exchange (as they did with Mt. Gox), and, as was clearly predictable, they are getting burned.

Leave a Reply

Your email address will not be published. Required fields are marked *