FTX: The Art of Compliance Theatre

On paper, FTX was a business with seemingly robust AML controls.  The last Hoptrail snapshot prior to its collapse showed the following data on FTX International's group companies:

✔️ Licensed by VARA in the UAE (FTX Digital Markets Ltd)✔️ Licensed by the FSA in Gibraltar (Zubr Exchange Limited)✔️ Registered with AUSTRAC in Australia (OmiPay Pty Ltd)✔️ Licensed with the Bahamian Securities Commission (FTX Digital Markets Ltd)✔️ Registered with the FSA in Japan (FTX Japan Corporation)

The exchange also had a number of additional compliance features, which made it appear robust.  The venue operated mandatory KYC, and published detailed procedures for three tiers which included enhanced due diligence and source of funds checks.

Snapshot of FTX’s KYC policies (August 2022)

As the image shows, FTX also engaged external transaction monitoring with Chainalysis to monitor all deposits and withdrawals for suspicious activity.  The engagement appears to have begun in 2022.  As part of the deal, FTX wrote:  

By monitoring our transactions in the Chainalysis KYT, FTX is able to receive real-time alerts to help their business mitigate exposure to regulatory and repetitional* risk. Their system will help our compliance teams focus on the most urgent activity and enforce compliance policies while better allocating resources

*We’re pretty sure they meant reputational risk.

In August 2022, Sam Bankman-Fried and former FTX US head, Brett Harrison, penned an article discussing how the FTX businesses monitored for sanctions risk, and implemented on-chain analytics, transaction monitoring and KYC, confirming that the business also utilised TRM Labs.  Prior to this Harrison had discussed how the exchange utilised tools to monitor for sanctions violations.

This was followed - again in August - by a thread from SBF on FTX’s KYC and security procedures.

FTX also avoided regulatory penalties or any known security breaches.  Up until recently, the venue had not been involved in any criminal litigation - all of which would have impacted its AML score.  This is perhaps not unsurprising given the relatively short lifespan of FTX in comparison to some of its peers.

So on paper it ticked the boxes.  Or at least FTX ticked its own boxes.  But how did it look in practice?

Walk the Walk

The truth is, data on how FTX implemented its AML controls is limited.  There is anecdotal evidence that structures were interfered with, as shown in this report.  This interrupted the ability to properly monitor suspicious transfers and control authorisations, not least various conflict of interest issues.

But there is an important difference between customer KYC - which was definitely in place - and the internal controls required to monitor fund transfers, executive oversight, and implementation more broadly.

A further concern is what we term ‘engagement and disclosure’ (E&D).  In mid 2022, Hoptrail initiated an outreach programme to exchanges to confirm AML data we have and to respond to questionnaires (DDQs) on AML processes and procedures.

DDQs play a vital role in helping us push past publicly available data.  They allow us to get a look under the hood on controls at crypto entities and understand - to the extent possible - whether there is implementation beyond the paperwork.

Several exchanges have been forthcoming in their response to DDQs which gives us greater comfort on those venues.  

Hoptrail reached out to FTX’s compliance team in July and August 2022.  We received no response.  

Regulatory whitewashing

Finally, there is jurisdictional quality.  This is one of the metrics that meant FTX was not a Top 10 exchange.

Hoptrail uses World Bank data to measure jurisdictional regulatory robustness, and we differentiate between licenses, registrations and exemptions from regimes within that.  

This means that countries with robust compliance frameworks attract a higher scoring.  It is partly why Blockchain.com scores so well - registrations in the UK and US plus a (highly sought after) license from the Monetary Authority of Singapore.

FTX’s licenses were in jurisdictions that are not typically recognised as operating high-grade crypto frameworks.  

The exception to this is Japan.  The only entity within FTX where customers have been fully protected is FTX Japan Corporation.  It still holds all customer deposits.

Following the 2013 collapse of Mt.Gox and the January 2018 hack of CoinCheck, which saw more than $500 million in assets stolen, the FSA instituted rigorous consumer protections.  This insulated FTX Japan from the wider fallout in October.

Notably, FTX was not on the UK Financial Conduct Authority’s Temporary Register, nor does it appear to have applied for an FCA license.  Indeed, the FCA still regards FTX as providing financial services or products in the UK “without our authorisation”.  There is no apparent attempt to secure licenses in jurisdictions considered the gold standard: Singapore, Hong Kong, Switzerland, among others.

The registrations raise wider issues on FTX’s controls.  How did it secure certain licenses and not push for others?  

Building Disclosure Scoring

At the time of its collapse, FTX was 13th in our Exchange Leaderboards and 24th overall.

FTX.US was 26th and 48th, respectively.

Our risk scoring draws on 23 different AML criteria across four groups - KYC, Licensing, Trading & Monitoring, and Integrity - to formulate an assessment how well a venue is doing in addressing and combatting financial crime risks.  

It does not score governance or operational risk.  But changes to our methodology early next year will capture these elements, building on our two-step approach.

In the first instance, data is sourced from the public domain - from press archives, social media, regulatory disclosures, published policies, and subscription databases, among others.  This addresses the written policies and procedures.  We then test these controls via our own sign ups - seeking to ensure that KYC thresholds are met.  

The second layer involves engagement and outreach with venues to confirm and amend the data we collate on them, and to undertake due diligence questionnaires to gather additional information.

This enables us to blend public and non-public information on the entities we cover.  More importantly, it helps to assess whether the venue is putting AML policies into practice.  

Part of our DDQ also seeks to understand more about security, insider trading rules, wash trading policies, and so on - some of the non-public, practical steps in fighting financial crime.

Our E&D process is currently being integrated into our risk model.  This would provide a mechanism to showcase the level of engagement on each VASP, with scoring on (1) those that engage, and to what degree; and (2) those that provide data, and to what extent.  

Indicators of engagement will be displayed on our platform and in every VASP profile.  The metric is designed to capture the intangibles around governance, and to enhance transparency.  Part of this latter is to blend E&D scoring with proof of assets disclosure to enhance our understanding on solvency.  More on that in the coming weeks.

This is not a silver bullet response to the FTX saga.  But it is a step towards building rigorous and trusted risk datasets for the crypto ecosystem - and a method of unpicking the art of compliance theatre.

Find out more about Hoptrail’s Leaderboards here.

‍