Corporate Governance is of paramount importance for any organization to achieve its objectives. This is probably more important for startups in the finance space, especially if your startup operates in the emerging industry.
In recent times, there has been a surge in the number of companies operating in the space. Multitudinous crypto exchanges have come into existence in different corners of the world and many are going global too. However, it’s not surprising that an equal number of exchanges are disappearing or forced to shut down as well.
One of the key reasons why these exchanges are not able to sustain is due to the lack of importance given to corporate governance. For eg: Cyber security risk is probably one of the most consequential risks which crypto exchanges face. One breach or a hack can shut the entire exchange overnight. This is not just theory. There have been exchanges in the past which did very well until they were hacked and were forced to shut down (Remember the hack?)
Exchanges which have understood the importance of having a profound corporate governance function have thrived well despite several challenges faced by them. So what has led some crypto exchanges succeed in such a difficult space while others struggle? Well, the obvious reason is of course their superior platform and the seamless customer service. However, another very important factor for their success is their fanatic focus on Corporate Governance. After analysing the anatomy of the corporate governance mechanism of some of the most successful crypto exchanges, I have developed a corporate governance framework which every crypto exchange should try and follow in order to survive and strive forward. Note: I am taking into account only those top risks which are very specific to crypto exchanges and not very quotidian to every industry.
The Corporate Governance Framework at every crypto exchange should include controls to mitigate the following key risks:
- Cyber security risk: The risk of getting hacked resulting in loss of crypto-currencies under the exchange’s custody
- Legal risk: which can be further divided into regulatory risk and compliance risk
- Regulatory risk: Risk of crypto exchanges being banned by regulators of a particular country
- Compliance risk: Risk of penalties and fines due to non compliance of rules and regulations (For eg: GDPR)
3. Anti Money Laundering and Terrorist Financing risk: Risk that an exchange’s platform is used for AML or Terrorist funding
4. Banking risk: Risk that bank accounts belonging to the exchange are frozen
5. Fraud risk: Risk that fraud is committed by employees/vendors/
6. Incorrect customer balance accounting and reporting risk: Risk that the FIAT and Crypto balances belonging to the have been recorded inaccurately/incompletely
7. Technology risk: Risk that the platform and other products/services provided by the crypto exchange will become obsolete as compared to their competitors
Below are components of an ideal corporate governance mechanism which every crypto exchange should adopt in order to mitigate the key risks:
- Cyber security risk: Arguably, this is probably the biggest risk which crypto exchanges across the world face. Exchanges should implement a two-pronged approach to counter these risks:
a. User access rights: The of all should be kept in secured wallets owned and managed by reputed third parties or they can be stored in wallets owned and managed by crypto exchanges. The access to cold, warm and hot wallets should be approved by the management and reviewed on a periodic basis. Further, these accesses should be backed a 2FA protection. This means that authorised users can access these wallets only once they have entered their password and authenticated themselves with a 2FA. This double layer of protection ensures that only authorized employees are able to access the wallets. This also helps to mitigate the which was faced recently by Quadriga CX, where worth C$ 190 million were trapped as their CEO who was the only one who had access to the cold wallets died suddenly.
b. Dual authorization (Multi-sig wallets): All transfers should require a minimum of dual authorization. This ensures that no single employee can transfer outside the exchange.
c. Proof of Reserves: A practice for any crypto exchange is to engage reputed auditors and demonstrate proof of reserves. This not only helps the of the exchange, but also raises confidence amongst regulators. It also raises the bar for all internal parties to maintain 100% integrity of customer funds.
2. Regulatory risk: This risk is uniquely complex for exchanges as the world is still struggling to adapt to this new technology and contemplating on ways to regulate (or not) this industry. Following controls should be put in place to tackle this regulatory risk:
a. Efficient Legal Team: Exchanges should hire the best in class legal team who have expertise in crypto regulations across the world.
b. Best in class legal advisors: Exchanges need to partner with the most competent legal advisors across the globe who advise them on matters across all business activities. While the above two may seem like an obvious recommendation, most crypto exchanges actually do not hire the right often underestimating the importance of a good legal team.
c. Legal opinion based work: Do not undertake any major activity without seeking a clear and formal opinion from the lawyers who are experts in the particular field. This needs to be followed strictly for all activities where legal opinion is required.
d. Research: An efficient in house legal team should be made responsible for conducting extensive and continuous research on various topics related to crypto exchanges. Periodic presentations need to be made to the Board pertaining to major updates in the legal/regulatory scenario.
e. Education: Given the cutting-edge technology & financial nature of crypto, various internal education initiatives need to be undertaken with the objective of bringing different teams including operations, technology and marketing upto speed with legal obligations & processes.
3. Compliance risk: The compliance team needs to ensure that the Exchange is compliant with all regulations at all times in all jurisdictions. This can be achieved by following the below practices:
a. Checklist: A detailed checklist should be prepared for all jurisdictions detailing all compliances that Exchanges need to follow. This checklist should be broken down into specific action items and individual owners who are responsible for the same. As and when the task is done, the same should be updated by the owner. Remember: Every task needs to have one owner clearly identified for completing a task.
b. Calendar: An organization wide compliance calendar with due dates for all key compliances should be created and circulated amongst all concerned individuals. This helps them to keep a tab on all important compliances to be complied with along with the timelines and plan their work accordingly.
4. Anti Money Laundering and Terrorist Financing: Since Fiat-to-Crypto exchanges handle fiat currencies, there is a risk that the platform might be used for exchanging illegal/black money and terrorist financing. Exchanges should have a dedicated KYC and AML team which is responsible for mitigating the AML and Terrorist Financing risk.
a. KYC: Only KYC registered users should be allowed to trade on the platform. At the time of on-boarding, the user needs to provide an ID proof, address proof and if need be even a video ID/selfie. Further, on reaching a certain threshold of deposit/withdrawal/trade transactions, the user also needs to provide proof of income.
b. AML: A dedicated team should monitor all transactions on a real time basis using softwares like Chainalysis, AMLock etc. In case if the team has reasonable grounds to suspect that the user is using the platform for laundering money, his/her account should be immediately suspended pending further investigation. Once all documents and information is collected and analyzed satisfactorily, the account can be restored. Further, all suspicious transactions (STR) should be reported to the Financial Intelligence and Analysis Unit (FIAU). Further, you need to ensure that you satisfy all AML/KYC requirements of the jurisdiction you are dealing in. For eg: If you are in Australia then you need to register with AUSTRAC and comply with local requirements.
5. Banking risk: Well there is nothing really any exchange can do about this. However, exchange should try it’s best to ensure that it has sufficient bank accounts at all times to ensure seamless fiat deposit and withdrawals experience for the users. Certain resources should be employed full time to ensure that they reach out to as many banks as possible and provide all documents to the banks for opening accounts. Exchanges need to have a good banking portfolio offering different payment methods to their .
Another important thing is to treat bankers as your business partners and keep them updated about various KYC, AML and other initiatives by the exchange.
6. Fraud risk: Exchanges need to have an independent internal audit team in place who are also experienced in identifying, assessing and managing fraud risks. Exchanges should carry out an entity-wide fraud risk assessment at least once a year to identify and assess the prevailing and plausible fraud risks and take appropriate measures to curb the same. The tone should be set at the top. There has to be zero tolerance for fraud. Company should also have a whistle blower policy in place which encourages every stakeholder of the Company to report any fraudulent activity observed at the Exchange. There needs to be an appropriate fraud response plan developed to handle all identified fraud risks.
7. Incorrect customer balance accounting and reporting: Exchanges should ensure that customer balances (Fiat and Crypto) are segregated and reconciled at all times. The Customer Fiat and Crypto reconciliation should be carried out periodically and all differences should be researched and explained.
8. Technology risk: Every tech company runs this risk. This risk is more profound in case of crypto exchanges which are trying to harness the power of the emerging technology. As a crypto exchange, you need to continuously research and develop your products to ensure that you stay at the top of your game and better than your competitors. For eg: Recently, Zebpay became the first exchange in the world to implement “Lightning Technology” which enables to make micropayments using . Exchanges should have a dedicated Research and Development department which is tasked with coming up with serious technological updates for their platform.
Disclaimer: Views expressed in the article are in my personal capacity and should not be interpreted to be on behalf of my employer i.e. Zebpay.
Published at Tue, 23 Apr 2019 10:23:00 +0000
