Cryptocurrency Exchanges and Governance, Risk & Compliance!!!

As per the recent study published by Coinfirm, only 14% of the 216 global cryptocurrency exchanges operating today are regulated.
In such a scenario, it becomes utmost important for crypto exchanges to have an effective GRC function in place, for strengthening the faith of their users in them.
WHAT IS GRC?
GRC stands for Governance, Risk and Compliance. It refers to strategies for managing an organization’s overall governance, risk and compliance with regulations.
WHY CRYPTO EXCHANGES SHOULD CARE ABOUT GRC?
BTC-e a Russian exchange established in July 2011, was closed in July 2017 due to the allegations relating to international money laundering, including holding funds originating from the hack of Mt.Gox exchange.
Mt. Gox, one of the largest crypto exchange of its time, handling almost 70% of the worlds’ bitcoin transaction at its peak, shut its shop in 2014, after loosing more 6.5 lakh bitcoins to alleged hack.
EasyCoin a Poland based exchange suspended its operations in April 2018 due to the bank closing their bank accounts
WHAT CRYPTO EXCHANGES CAN DO TO ENHANCE ITS GRC?
Since a majority of crypto exchanges are unregulated entities, they can on their own implement certain minimum measures, to have an effective GRC function.
GOVERNANCE
- Establish a Board of Directors. The board should have at least two people managing the business, to satisfy the dual control principle. It is advisable that the chairman of the Board should not act as CEO
- Issue clear and transparent bye-laws of Exchange, covering the following minimum things:
i. Administration of the Exchange
ii. How Exchange operates like client on-boarding procedure, process for listing of cryptocurrency, trading process, market monitoring, custody & safekeeping arrangements, record keeping and fees
iii. Reporting of suspicious transactions
iv. Settlement and resolution mechanism in case of settlement failure
v. Suspension and removal from trading of cryptocurrencies
vi. Tests Exchange carries out on its systems on a periodic basis
vii. Business continuity
viii. Disciplinary actions which the Exchange can take against its customers - Appoint a system's auditor to audit the cybersecurity framework and technology platform on an annual basis
- Appoint a financial auditor to audit the annual financial statements
i. Prepare and implement the following policies (list is not exhaustive):
ii. Insider trading policy to prohibit insider trading, by employees or those having knowledge of confidential information
iii. Conflict of interest policy to prevent conflict of interest situations from adversely affecting the interest of client
iv. A remuneration policy of key people
RISK MANAGEMENT
- Establish the following independent departments:
i. Internal audit
ii. Compliance
iii. Risk Management - Implement the following policies and systems:
i. Customer due diligence/KYC to check, if customer is in sanctioned list or is a politically exposed person
ii. AML policy and systems to minimize the risk of money laundering. Also, to comply with local AML rules/regulations
iii. Policies and strategy for managing other risks - Maintain adequate minimum capital to meet any unforeseen event
- Implement a cybersecurity framework (CSF). The CSF should be in line with recognized cybersecurity standards like Cobit, ISO, NIST, etc.
- Use hot and cold storage wallets for custody of clients’ crypto assets
COMPLIANCE
- Appoint a full time Money Laundering Reporting officer (MLRO). Care should be taken while appointing a MLRO, as its role of MLRO is an onerous one. It should be accepted by individuals who completely understands the responsibilities of an MLRO
- Inform the relevant local authority of any suspicious transactions observed
- Appoint an officer specifically to handle compliance of safeguarding of clients’ assets. This responsibility can also be given to the compliance officer of the Exchange
The above measures are not exhaustive and are based on the Virtual Financial Assets (VFA) Act, regulations and rules issued by the Malta Financial Services Authority.