On October 1, 2020, every crypto entrepreneur’s greatest fears were realized as the Department of Justice cracked down on BitMEX for violations of the Bank Secrecy Act.
The scary part wasn’t that the authorities had come knocking. It was that regulators served the company’s founders with both criminal and civil charges. Now, four members of BitMEX’s leadership team potentially face 10 years imprisonment each for willfully evading US KYC AML regulations.
While the news of the BitMEX crackdown shocked the crypto space, for those that are familiar with the exchange, it might not have come as a complete surprise.
For years, BitMEX founders had openly flaunted US regulations. BitMEX CEO, Arthur Hayes, famously commented a few years back that it incorporated in Seychelles rather than the US because it only cost a “coconut” to bribe the authorities there.
That was not the only blunder the BitMEX leadership team made along the way.
In fact, it’s hard to go through the BitMEX indictment without wincing.
The problem was that BitMEX founders assumed that by incorporating ‘offshore’ they were outside the purview of US regulations. They were badly mistaken.
While there are many great crypto-friendly jurisdictions out there that offer tax advantages and better overall business environments, incorporation in these jurisdictions does not automatically exempt a project from US regulation.
As we’ve tried to make very clear throughout this publication, it does not matter whether a company is based in the US or not. If a crypto project focused on financial services has US customers, it must abide by US regulations. This applies to exchanges, centralized wallets, mixers, tumblers, and most DeFi platforms.
So for crypto projects that are not focused on the US and that would like to minimize their US regulatory compliance burdens, it is essential to exclude US customers.
To be clear, I am not advocating that these projects avoid the US market. This is a business decision for crypto entrepreneurs to make with consideration for what’s best for his or her project. But, if the decision is made to not actively comply with US regulations, projects must take proper steps.
Learning from BitMEX’s example, here are 5 steps to effectively exclude US customers and avoid being subject to US regulations.
Table of Contents
Establish a Physical Presence Outside of the US
The first step in making it clear that a project is not targeting US customers is to be incorporated outside of the US.
Incorporation alone, however, is far from enough to demonstrate that the business is operating abroad. It is equally critical to also set up a genuine physical presence outside of the US.
This was BitMEX’s first mistake. Though the company was incorporated in Seychelles, the leadership team made no effort to demonstrate any business activity in the jurisdiction or any other non-US jurisdiction.
In fact, in what was probably the most cringe-worthy section of the indictment, for the good part of two years, BitMEX maintained an office for business development and customer service in Manhattan. Yes, Manhattan of all places.
Any good tax lawyer should have warned BitMEX that the IRS assesses if a company is “US-based”, not solely by its place of incorporation, but also whether or not a significant amount of the company’s business operations take place in the US.
While this may not be the same criteria for CFTC requirements, if a company’s business development and customer service departments are based in the US, it’s difficult to argue that it is not targeting US customers. After all, BitMEX certainly wasn’t in Manhattan to take advantage of cheaper rent and labor costs.
Implement Geofencing to Block US Customers
Next, a project should take genuine steps to block US persons from opening accounts on the platform. The simplest way to do this is to implement geofencing software.
Geofencing software checks a user’s IP address and can block or redirect users that come from a particular jurisdiction. Most prominent exchanges have already implemented such restrictions.
In the DoJ’s indictment, the authorities assert that while BitMEX had implemented geofencing on its website, it did not do so effectively.
Though the BitMEX site checked users’ IP addresses, it only did this for a user’s first visit. This meant that if someone initially created an account from outside of the US, they could then log on and access their account from within the US without any restrictions.
The authorities noted that users could also start accounts through VPNs, which BitMEX took no steps to block. VPN blocking is relatively commonplace today. Netflix, for example, blocks the reproduction of video content if a viewer is using a VPN, no matter where the user’s IP is based.
So, while BitMEX made some effort to restrict US customers, these efforts were largely for show. In practice, it was very easy for US customers to bypass these basic restrictions.
Implement Basic KYC Checks
In addition to geofencing software, projects should also implement basic KYC measures to filter out US customers.
As outlined in the Bank Secrecy Act, these measures should at a minimum request a user’s name, date of birth, address and government identification number. The idea is that the company should be able to show that it has made some effort to know the true identities of its customers and ensure that none of these customers reside in the US.
Obviously, this is a contentious issue in the crypto community because many in the space are opposed to this kind of centralized information gathering on ideological grounds. As my readers know, I am a strong privacy advocate and find this level of reporting uncomfortable. However, I’m not making the rules, just reporting them.
Additionally, some projects believe that they are not subject to US KYC AML regulations because they are ‘decentralized’. But as we’ve covered in regards to DeFi platforms, this is not an argument US regulators accept. There are already numerous cases in which US authorities have successfully gone after ‘decentralized’ marketplaces or exchanges.
Ultimately, the level of KYC information gathering that a project should implement depends on the kinds of activities the project is involved in and the regulatory risk the leadership is willing to take. Ideology will only get one so far with the government.
Once customer information has been gathered, the next step, of course, is to restrict known US customers from taking action on the site.
BitMEX tripped itself up on this front. When regulators gained access to BitMEX’s records they were able to find ‘thousands’ of accounts in its system with US location information. On top of that, they also found cases where BitMEX leadership actively changed a user’s location of residence in their accounts to claim that they were not US residents, when in fact they were.
This included accounts for friends in the US and for people they said were ‘big in crypto’.
Since nearly everything is traceable, entrepreneurs should assume that the true information will eventually be exposed. It may be hard to turn down US-based friends, family, celebrities, or big investors, but if a project genuinely wants to avoid falling afoul of US regulations it needs to limit its platform to non-US persons.
Do Not Market to US Customers
Next on the list is to watch one’s marketing.
We’ve talked a lot about the importance of marketing language when it comes to conducting token offerings and the same applies here.
In BitMEX’s indictment, the DoJ highlights that the company heavily marketed its platform to US customers. Not only was its business development office located in the US, as mentioned above, but the company’s leadership did the bulk of its promotion efforts in the US. This was evidenced by BitMEX activities at Consensus and other major crypto conferences in the US, as well as frequent TV appearances by the CEO on US television networks.
Overall, this doesn’t necessarily mean that a project that aims to exclude US customers cannot do any marketing in the US. Undoubtedly US-based crypto conferences do have an international reach and could potentially be useful to any company.
So in this case, it primarily comes down to intent. If a company genuinely does not accept US customers, would it devote significant effort to building its brand in the US market? Probably not.
It should go without saying, that it is not advisable to overtly advertise that the platform does not comply with US KYC AML regulations. For example, BitMEX’s initial marketing efforts stated “No real-name or other advanced verification is required on BitMEX.” Ouch.
Alone, something like that may not be sufficient to incur regulatory backlash. But it definitely draws unfriendly regulatory attention.
Use Non-US Based Servers
Last but not least, one extra precaution to stay outside the purview of US regulation is to use only non-US servers for a project’s platform.
This was not mentioned within the BitMEX indictment but comes from the DoJ’s Cryptocurrency Enforcement Framework, which came out the same week.
In this report, the DoJ asserts that it has jurisdiction over all crypto companies that touch US servers.
Given that Google and Amazon servers are mainly based in the US, avoiding US servers entirely is much harder than it looks. Additionally, it’s unclear how the DoJ would view permissionless node operations which may very well take place in the US without the permission of a project.
For companies targeting EU users, there is already an increasing number of services to assist with non-US server usage.
This is because recent changes to GDPR regulations now prohibit storing EU user data on US servers. Thus, if a project is based in the EU, it’s not only a good idea to avoid US servers, it may be a legal requirement.
There is not a clearly established framework on how to effectively avoid touching US servers, at least not for non-technical founders. But the basics are to make sure that the site is hosted on servers outside of the US and to remove third-party code, like Google Analytics, which may store information on US servers.
What does this mean for Crypto Law Insiders?
From the BitMEX case we can see that US authorities are getting serious about KYC AML for crypto projects providing financial services. This includes exchanges, centralized wallets, mixers, tumblers, and most DeFi platforms.
This trend has been in the works for a long time and it would be wise for any crypto projects in this space that have resisted implementing KYC AML measures to begin taking action now. For example, many projects are looking to incorporate digital ID services into their platforms, which will allow them to verify a user’s non-US status while at the same time not violate the privacy of their user.
For projects that serve US customers, it is essential to go the next step and register with the appropriate regulatory agencies and implement sufficient KYC AML measures in accordance with the Bank Secrecy Act.
Overall, there is no single correct course of action to take. Founders must weigh the regulatory risks against the benefits of having full access to the US market. It all comes down to the activities the project is engaged in and the level of risk one is willing to take.
But at the end of the day, it pays to play safe. Just ask Arthur Hayes.