For the second year in the cryptocurrency market, the controversy around the Fifth Directive, created with the support of the FATF, has not abated. She obliges users of digital currencies to go through a personal identification procedure. Let's figure out which exchanges reliably store user data.
A recent story with WhatsApp has raised anothera wave of disputes about the protection of personal information that users transmit to companies when going through the KYC procedure. For cryptocurrency traders, this is a mandatory step, without which they will not start working on a cryptocurrency exchange.
According to the international organization to combatMoney Laundering (FATF), these measures will help prevent financial crime and prevent sponsoring terrorism. However, by providing information about himself to crypto platforms, the user risks his own money, because in the event of a data leak or theft, fraudsters will have copies of a passport, a key to a crypto wallet and much more.
Why do exchanges “know their customer”?
Until a few years ago, mostcryptocurrency exchanges were completely anonymous and did not require users to go through the KYC (know your customer) procedure. At the same time, a huge number of cases of money laundering through cryptocurrencies were registered on the market, and a black market was actively developing, where drugs, computer viruses, smuggled jewelry, illegal drugs and much more could be bought with the help of digital coins.
According to research by Chainalysis, in 2020the darknet space revolved about 1 million bitcoins, of which 300 thousand BTC are coins that were stolen from users' wallets or cryptocurrency exchanges. For comparison, in 2017, this figure was 22% higher. The decline in the darknet market is largely due to the implementation of the KYC procedure, which became an integral part of the Fifth Anti-Money Laundering Directive (5AMLD), adopted worldwide on January 10, 2020.
It became much more difficult for crypto scammers to withdrawfunds from exchanges or launder money using cryptocurrency, since the trading platform had the user's personal data, including a copy of a passport or identity documents. If suspicions arose, the supervisory and regulatory authorities could easily identify the potential culprit and bring them to justice.
The introduction of the KYC procedure was not initiallywas welcomed neither by the users themselves, nor by crypto-exchanges, who asserted that identification was contrary to the nature of the blockchain - anonymity. Constant leaks of customer data add fuel to the fire. So, in December 2019, the Poloniex exchange announced a large-scale leak of users' personal information. And at the end of 2020, hackers stole more than 1 million email addresses from Ledger.
How to go through the KYC procedure and is it mandatory?
In fact, there is nothing complicated in the KYC procedure, and you can go through it in just a few minutes, especially at the initial stages, if you are not going to withdraw large amounts from the site.
Despite the fact that each exchange has its own requirements, in general, the procedure is similar and fits into several standard steps.
- To begin with, most likely, you will have to confirm that the user is over 18 years old, otherwise crypto trading will be completely banned.
- Select the country of registration and residence, as well as upload a copy of your passport or other identity document.
- Then you need to take a photo from your phone or computer camera. Sometimes exchanges require you to take a picture of yourself along with your passport.
- And finally, agree to the processing of the data and send it for review. Verification completed.
Let's consider the requirements of cryptocurrency exchanges for users and also analyze where and how trading platforms store information.
Binance (can be used without going through KYC)
The largest cryptocurrency exchange Binance uses the KYC procedure partially... In fact Binance allows you to trade cryptocurrency, as well as make deposits and withdrawals without verification..
For example, spot traders can withdraw up to 2 ВТС ($ 70,000 at the current exchange rate) per day without going through identification... However, these rules do not apply to US citizens and residents.
Official website of the exchange https://www.binance.com
If you need to withdraw more than 2 BTC ($ 70,000 at the current exchange rate) per day, you will need to go through the KYC procedure and provide the following data:
- full name and surname;
- indicate nationality;
- code of the country;
- email address;
- utility bills;
- home address;
To transfer and store your personal informationEncryption technologies such as PCI scan and secure socket layer encryption can be used. Binance also says that access to storage facilities and buildings where servers with user data are installed has a limited number of individuals in order to minimize physical contact with storage devices.
Cryptocurrency exchange OKEX with daily volumetrades of $ 11.5 million, made headlines after the arrest of one of the founders of the platform. As a reminder, the exchange froze withdrawals after OKEx founder Star Xu was arrested by law enforcement agencies. Note that Xu had access to the private keys of the wallets where the users' funds were stored.
After the incident, the exchange intends not only to docopies of private keys, but also to tighten the requirements for using the platform. In accordance with the requirements of the General Data Protection Regulation (GDPR) and the Data Protection Act, the exchange collects and stores the following list of data:
- E-mail address
- cell phone number
- Full legal name (including former name and local language names)
- Passport number or any government-issued identification number.
- Date of birth ("DOB")
- Proof of identity (such as a passport, driver's license, or government issued ID)
- Residence address
- Proof of residence
- Additional personal information or documentation at the discretion of our compliance team
The company also talked about information protection methods.
“We are taking various measures to ensureinformation security, including encryption of OKEx messages using SSL, two-factor authentication for all sessions, and others. Company employees have limited access to your personal data ", - said in the document.
Bitfinex is among the top 5 exchanges in terms of trading volume andregistered in the British and Virgin Islands. The site is confidently included not only in the list of popular, but also in the list of "best detectives of the year", as it collects a huge array of customer data from various sources.
In addition, the exchange collects IP addresses, type andbrowser version, time zones, type of operating system and modules, date and time of the platform visit, all user actions, including page views, button clicks, mouse movements on the monitor screen, and much more.
At the same time, the company does not explain how exactlyhow user data is protected from hacking and where it is stored. The developers only dryly explained that a limited number of people will have access to information.
After a massive data breach, the founders of Poloniex promised to improve the data protection system to minimize the likelihood of hacker attacks.
The updated version of the PolicyPrivacy ”states that the exchange collects and stores information such as the user's first and last name, email and mailing address, date of birth, government-issued ID, tax ID, identification information, photos, company name and password. In addition, the exchange may collect and store information about convictions, sanctions against a specific user, and more.
User information is stored on serverslocated in the United States, and a limited number of people have access to them. At the same time, little has been said about the methods of computer protection of information. The document states that the exchange uses encryption technology. No other details could be found.
The KYC procedure requires the provision of personaldata. Users of crypto exchanges need to take this as a fact and choose trading platforms that are able to minimize the amount of information collected and guarantee the protection of personal information in accordance with international and European standards.
What to look for when choosing a platform:
- The amount of data required.
- Information storage and protection technologies.
- Liability of the exchange to users in the event of a leak.
- Exchange hacking history.