The day after the U.K.-based EXMO crypto exchange was hacked last month, reportedly losing 6% of its crypto assets, the team got a call from the U.K.’s Financial Conduct Authority (FCA).
The FCA recently put the exchange on the list for temporary registration and wanted to know what EXMO, an exchange with $117 million in daily volume, according to CoinGecko, was going to do to prevent such incidents in the future, the exchange’s COO Sergey Zhdanov told CoinDesk, providing rare details about how exchanges address regulatory requirements in the U.K.
The country has been a jurisdiction of choice for many crypto startups. “The U.K. has always been a strong hub for financial companies, whether they are crypto or not. The regulatory framework, unlike other countries, for crypto has gradually started to become clearer and I feel this clarity is what companies are really searching for,” Iqbal V. Gandham, former managing director of eToro in London, told CoinDesk.
Last year, the country got serious about taking control of the crypto industry. This past summer, the FCA told cryptocurrency service providers they needed to register to keep operating in the U.K..
Since then, multiple applications have flowed in, prompting the agency to introduce a temporary registration regime for the companies it wouldn’t be able to vet before the Dec. 16, 2020, deadline. So far, only four companies have obtained the full registration, including the Winklevoss brothers’ Gemini exchange.
The list of 95 companies that received temporary authorization includes exchanges Bitstamp, Coinfloor and eToro, and infrastructure players Fidelity Digital Assets, Galaxy Digital, among others. EXMO, a smaller crypto exchange with a largely Russian and Ukrainian team, was on the list, too.
Instead of waiting around for cats to herd themselves, the FCA reached out to the companies, which is why last January the agency contacted EXMO to remind the exchange that new regulations were coming, Zhdanov said.
“They said: ‘We’re monitoring all the crypto exchanges and wanted to make sure you know that you should be doing user verification. I was surprised that they contacted exchanges themselves,” he added.
How it started
EXMO was launched in 2014 by a team of Russian crypto enthusiasts headed by then-real estate developer Ivan Petukhovsky. “If I knew back then how challenging it [the business]would be, I probably wouldn’t even have started it,” he told CoinDesk over a call.
Even though the team initially was located in Thailand, where Petuknovsky’s real estate business was located, EXMO chose to register its headquarters in the U.K.
“Back then, nobody understood if a legal entity [for a crypto business]was needed and if it was important at all,” Zhdanov said. “But after mid-2017, after the [initial coin offerings], all the banks turned away from crypto and we realized that a legal entity was very important.”
Getting a bank account is a problem for the crypto industry; even now, only a handful of banks are serving crypto businesses, Zhdanov said. It didn’t matter that much at the dawn of the crypto industry, in 2016 and earlier, he added. Back then, partnering with payment processors was enough to provide small crypto purchases, while for large amounts of crypto people would often just pay the over-the-counter brokers with cash.
But as crypto got more attention, the need for a bank account became more urgent.
Things got slightly better over time, but not a whole lot. “In 2018, we got a lot of rejections from banks,” Zhdanov said. “Back then, 90% of banks would refuse to work with crypto. Now, it’s probably 80%.”
The other 20% or so apply strict compliance rules, he added. In Europe, as the industry is getting more regulated it’s getting a bit easier.
But even having a legal entity does not guarantee a bank would serve you, Zhdanov said. At first, EXMO got an Estonian license – one of the first registration formats for crypto businesses in the world. But that did not open the doors of banks for EXMO, Zhdanov said. Only in early 2020 did the exchange get an account with Lichtenstein’s Friсk Bank.
How it’s going
Since last year, stricter anti-money laundering (AML) rules, under the so-called AML5 directive, came into force across Europe. EXMO introduced obligatory authentication for users. Users did not like it, Zhdanov said: About 10% of EXMO’s clients left immediately. “Someone just didn’t want to get verified, someone tried, got an error and didn’t want to try again,” Zhdanov said.
However, all the big traders stayed on the platform because they had already been verified, he noted. Verification gives more control, so if an account gets compromised a verified user can ask the exchange to stop a withdrawal transaction by proving an intruder is trying to get money out.
Now, with the registration and more regulatory requirements, the compliance team of EXMO was nearly doubled, to 26 people. Overall income fell 10%, Zhdanov said, both because of the users’ outflow and the new costs of more compliance officers, new software for transaction-tracing and keeping up with sanction lists.
EXMO is relying on the outsourced contractors located in Russia and Ukraine for tech support. FCA appeared to be interested in why the workforce is located in these “high-risk” countries, Zhdanov said. The explanation that it’s more “cost efficient” worked, he added.
To users in such countries, the exchange is applying an “enhanced due diligence,” Zhdanov said. EXMO is especially popular among Russian-speaking traders, and the majority of users come from Russia, Ukraine and Belarus.
Another question was how many people are using EXMO, but there is a catch: How do you define a “user”? Someone who registered on a platform? Someone who has a deposit in an account? Someone who did at least one trade? These can be different numbers, the EXMO team said. They ended up counting how many users made at least one trade over the past year, Zhdanov said. That turned out to be 400,000 users.
The FCA asked how many of those were verified, and why not all. The team explained that some people had been trading but didn’t try to withdraw money from their accounts, so for the time being there was no risk associated with such users and no need to verify them. The FCA seemed to accept the logic because it hasn’t asked about this anymore, Zhdanov said. The agency also requested a sample of cases for users blocked for AML reasons, with the detailed reports.
Overall, despite the burden of the new regulation, FCA’s approach seems reasonable so far, Zhdanov said: “Their job is to protect users. That’s what is shaping their interaction with us.”