To protect their funds from hacker attacks, wallet owners should keep their keys in offline wallets, and cryptocurrency exchanges must use secure servers and trusted payment systems. This is an opinion stated by Head of Blockchain Innovation at Nir Porat & Co. Law Firm Aviya Arika. Aviya will present at Blockchain & Bitcoin Conference Switzerland, so we talked to her about cyber security of cryptocurrency exchanges and practices of regulating such organizations.
– Hello, Aviya! We can see from the media that it is not uncommon for hackers to steal funds from the wallets of ordinary cryptocurrency exchange users. What do you think people should do in order to minimize the risk of losing funds from their stock exchange accounts?
– Hello! If you, as a user, choose to keep your coins on the exchange itself instead of sending it to an external wallet of which private keys’ you have the control over, then you are automatically increasing your risk level. There is a saying in the crypto world: “not your keys — not your coins!” and this is essentially true, because when you keep your coins on the exchange, practically it means that the coins are stored in the exchange’s wallet, a wallet (and private keys) which is within the exchange’s control. An exchange at its most currently common centralised form has a single point of failure, and if this point of failure is compromised (for example, gets hacked), then the hacker gets control over the private keys, meaning control over the exchange’s wallets, meaning your coins are gone.
Therefore, to minimise risk it’s always better to get your coins out of the exchange and into your own wallet, the private keys of which you and only you have control over. If you can’t do this because, for example, you want to have available balances of coins for trading on the exchange, then at least make sure you use 2 factor authentication and other control measures, to protect your account as much as possible.
– And vice versa: what should cryptocurrency exchange owners do to minimize the probability of their users’ funds being stolen?
– The crypto exchange industry has developed enough to have already installed clear best practices for coins storage and security. To name one, geographically dispersed offline (”cold”) storage should be used for most of the coins reserves, while keeping the minimum possible stored online (“hot”) to enable liquidity and smooth execution of trades. More things to consider are choosing trusted employees, top notch payment systems and secure servers.
It’s also important that the exchange be as clear and as instructive as possible in its terms of use, for example by making distinctions between user’s responsibilities with regards to security (such as keeping the account info confidential, using 2FA, reasonable email address care, etc.) and between the exchange’s responsibilities
– In your opinion, which of the existing exchanges is most protected against theft? Why do you think so?
– This is a tough question to answer and maybe not so fair. I cannot name just one or two exchanges, since all of the exchanges I’ve encountered take security precautions and put a great deal of emphasis on safety and security. I would say that an un-safe exchange is one that doesn’t employ 2FA, uses insecure servers and stores a majority of coins online.
– How do you think, cryptocurrency derivatives (for example, bitcoin futures) will affect the exchanges in the long run?
– Crypto derivatives affect crypto prices, and that always has an effect on exchanges traffic. A recent case was when CME and CBOE launched bitcoin futures back in December, bitcoin prices rallied which lead to increased exchanges traffic. Many exchanges couldn’t take the heat and even suspended new accounts registration or orders altogether.
– In your opinion, what jurisdiction is the most loyal to the activity of cryptocurrency exchanges? Explain why.
– To this day, not many jurisdictions have been clear about their stance on crypto exchanges. Among the ones who did, and these are also my choices of “loyal” jurisdictions, are Estonia, Gibraltar, Switzerland, Malta and South Korea. These countries have specifically referred to crypto exchanges and allocated designated regulatory frameworks for this activity. I think the Canadian Senate was also very wise to follow Andreas Antonopolous’ advice when he testified in front of Canadian Senate members back in 2015 and take a “wait and see” approach, to better understand crypto exchanges and not regulate them right away. The UK is also worth mentioning, as it installed a unique sandbox approach in the image of the “innovation hub”.
On the other had, quite surprisingly, some countries which would be expected to show innovativeness towards crypto exchanges, haven’t quite done so. Singapore, which is considered overall ground-breaking in crypto friendliness, hasn’t yet included crypto exchanges as a formally acceptable activity under the SVF license. The U.S, which is an enormous crypto empire with so many things happening, is failing to address crypto exchanges regulatory needs as it chooses, both in the state and federal levels, to refer to crypto exchanges as money transmitters and demand an MSB license, even if this license is outdated and does not answer the needs and risks of crypto exchanges, such a modern, cross-border creature.
– In which three countries are ICO startup investors best protected by the law? Why these countries?
A distinction needs be made between ICOs which sell securities, and ICOs which sell utility tokens. When it comes to offering securities to the public, all countries demand today that the token issuers will be registered and licensed according to the securities laws of that country (since this is a lengthy and pricey process, many token issuers choose to “disguise” as utility tokens instead of registering as securities). Securities laws protect investors at a very high level, but the issue is that not many token issuers actually register as securities issuers. In the U.S, out of numerous ICOs that occurs and trillions of dollars that were raised from U.S investors, not even one ICO registered with the SEC to this day! so, securities law may be protective but they aren’t of much use if ICOs aren’t complying to them.
When it comes to ICOs selling utility tokens, most countries haven’t regulated this activity specifically and it falls into existing frameworks such as contract law, anti money laundering, privacy and consumer protection. While these legal frameworks indeed protect investors/ consumers, they are not adjusted to ICO reality and therefore, may not protect investors against some of there unique risks ICOs entail.
Those countries which have taken the extra mile and specifically regulated utility tokens protect investors in a better way, as I see it, since they acknowledge ICOs as a unique creature and treat utility tokens as what they are.
Switzerland was especially innovative and forward thinking, as it was the first out of the EU states to refer to ICOs, using a sensible approach and to not regulate all ICOs, but to examine them on a case-by-case basis and the determine whether they required financial regulation under FINMA, or whether they can be registered as a self-regulated organisation.
After Switzerland came Malta, which passed a new Virtual Currencies Act, a law that sets a framework for ICOs and refers both to selling financial instrument and utility (“application”) tokens. Belarus has taken an especially permissive approach, allowing ICOs to sell any kind of tokens, without distinction between securities and utility tokens.
Gibraltar has the DLT regulation, an open-ended regulation that doesn’t refer specifically to ICOs but it does bring the financial regulator, the GFSC, into the picture to approve token sales on a case to case basis while establishing a clear code of conduct with defined principles such as honesty, customer care and risk management.
So to sum up what is a generally protective jurisdiction to me, I would say that’s a jurisdiction that doesn’t ignore utility tokens as just another product like shoes or cars, rather specifically adheres to ICOs as a category of its own and brings the financial regulator into the picture to ensure proper investor protection in the case of all tokens, regardless of their categorisation.
– What will your presentation at Blockchain & Bitcoin Conference Switzerland touch on?
– I’ll give an overview on crypto exchanges- how they work and a comparison of centralized vs. decentralized business models. Then, I will explain how the business model affects the risk and regulation that the exchange should comply to- centralised exchanges have custody over funds and control over clients’ private keys, therefore heavier regulation usually applied. On the other hand, decentralised exchanges and some unique centralised exchanges do not have private keys control, which means that aren’t custodial and therefore, usually not subject to exchange regulation. As I said, ”not your keys- not your problem!”
I will drill down into regulatory requirements and give an overview of main crypto exchange jurisdictions- Switzerland, Malta, Gibraltar, Estonia, Lithuania and the U.S. I will discuss risks transparency and mitigation, and how an exchange can be on top and “manage” its regulatory framework. I think my talk is going to be very useful to various types of audiences, including entrepreneurs seeking to setup a crypto exchange, existing exchanges and end-clients who use exchanges to buy and sell cryptocurrencies.
Register to Blockchain & Bitcoin Conference Switzerland and find out more about the regulation of crypto exchanges from Aviya Arika’s presentation.