Bitstamp Compliance Officer Raynold Poh Part 1 of 2 // Web3 Accountant Radio Ep20 Transcript
Raynold Poh is the Compliance Officer of Bitstamp
Bitstamp is the world’s longest running crypto exchange. Bitstamp holds an IPA for the MPI license to provide CBMT and DPT Services in Singapore under the PSA.
In this conversation, we dive into:
1. Payment Service Act Intro
2. What is Travel Rule
3. Why is Travel Rule difficult to implement
4. Sunrise Issue
5. VASP attribution
6. Can you receive from another jurisdiction that does not implement travel rule?
7. Singapore approach to Travel Rule
And more!
__________________________________
Connect with Raynold & Bitstamp👇
Linkedin: / raynold-wei-cheng-poh/
Website: https://www.bitstamp.net/
Email: [email protected]
Hi everyone, welcome to the Web3 Accountant Radio, the podcast where we dive into the fascinating world of Web3 Finance and Compliance. I’m today’s host Diana, and my partner is Wei Xiang. Hi Wei Xiang.
Hi Diana. Today we have a special guest called Raynold. Raynold currently serves as the compliance officer at Bitstamp, the world’s longest-running crypto exchange.
Bitstamp holds more than 50 licenses across various jurisdictions to provide crypto services. Focusing on Singapore, Bitstamp currently holds an in-principle approval for the MPI license to provide cross-border money transfer and digital payment token services in Singapore under the Payment Services Act. Over the span of his career, Raynold has held compliance roles at notable payment and crypto firms such as Wallex, acquired by MDAQ Group, Sparrow, acquired by Amber Group and Metacomp.
Nice to meet you, Raynold. Hi, nice to meet you Diana and Wei Xiang. Thanks for inviting me today.
Today is a very exciting day where we have a compliance officer in Singapore from a soon-to-be licensed MPI license entity bringing us through travel rule deep dive and also speaking about unhosted wallets in Singapore. Yeah, over to you, Raynold. Hi guys.
I’m Raynold. I’m currently with Bitstamp. Bitstamp currently hosts an IPA in Singapore and then we expect to get the license sooner rather than later to provide cross-border and digital payment token services.
Yeah, just a brief introduction before we start over to travel rule. The Payment Services Act came into force in 2020. Then digital payment tokens in short, DPT, so commonly known to retail investors or other customers.
It’s known as cryptocurrencies so this is regulated under the Payment Services Act in Singapore. As a crypto service provider in Singapore, we are obligated to comply with the travel rule. Travel rule is something that is quite complicated to the average investor or average customer.
I’m trying to break it down so that it’s something easier to understand for everybody. Travel rule is the accompanying data message that goes alongside your crypto transfers between financial institutions.
This came about when FATF, the international body with regards to anti-money laundering, they provided this guidance under recommendation 16. It’s called travel rule, as mentioned in the name, because the information that needs to accompany the crypto transfer is traveling alongside the crypto transfer. Basically, in essence, what is travel rule? Where was it first derived from? It actually was derived from your traditional finance for your wire transfers? You know, your SWIFT, your SEPA, your FAST, your ACH.
The banks actually have to communicate between each other? When you’re making a wire transfer, they will actually send a SWIFT message over to the other bank stating information the originator’s names, the beneficiary’s names, date of birth, etc. Addresses and etc. of those likes? The whole purpose of travel rule is to counter money laundering and terrorism financing? How does it work exactly? When I’m sending a message over from the ordering, the originating crypto service provider, I will send my customer’s name, date of birth, account number, IC number, ID number, passport number, some information that falls under personal data over to the beneficiary crypto service provider? Along with the beneficiary customer of this crypto assets? It is the job, it is the duty of the receiving crypto service provider to verify that such a beneficiary customer exists on DRM? And then to confirm and send a message back to the originating crypto service provider to confirm this? Before the crypto service, before the ordering service provider sends it over or before the beneficiary service provider credits this funds to the beneficiary customer? the whole point of this is to make sure that customer A sending over to customer B, it’s not to launder money, it’s not for terrorism financing and then the receiving the beneficiary crypto service provider also does is, fulfills his obligations of doing all these checks? Basically because it is so easy to just launder money if you don’t do all these checks, you don’t know who you’re sending to? Your customer A can basically say name ABC or DEF or whatsoever and then they can just send it over and if you process it without checking essentially? You have a better money laundering, for example? I think one of the more misconception is that just by sending out the message? The data message, technically the ordering, the originating institution, the originating crypto service provider has fulfilled their obligation but to actually successfully combat money laundering, the beneficiary crypto service provider actually has to do the checks that such a customer B exists on their end and that they have actually onboarded customer B and done the necessary due diligence and provided a confirmation back to the originating crypto service provider A? If you don’t, if they don’t actually do these checks and they don’t actually provide the confirmation, technically you haven’t actually combated money laundering in that sense? Yeah, so we’ll move on? Travel rule is something that is so complicated.
It is so nascent in the industry. It’s been here for some time but I think when people talk about travel rule, at least for the practitioners in the industry? it’s easy to talk about travel rule but the practicability of travel rule and to actually put it into reality, implementing it, I think it’s something that is so complicated, very, very complicated and then you will realize that there are not many entities or even jurisdictions know how to comply with it and actually comply with it? one of the first challenge that travel rule faces, implementing travel rule would be something called the sunrise issue. Basically, the sunrise issue came about because I think people in the crypto industry will be familiar that certain jurisdictions have a more robust crypto regime, regulatory regime as compared to other regimes say Singapore for example? Where I’m based in Singapore is known for its robustness in its digital payment token crypto framework? It has a set of travel rule requirements versus another country which has not actually, you don’t even talk about travel rule for example, they don’t even have a crypto regulatory regime? say when I want to, when I’m actually a crypto service provider in Singapore and I actually have to comply with travel rule under the notices set out under the Payment Services Act, how do I actually comply? Because complying with the travel rule, there are two portions to it.
One component is me being the originating institution, originating crypto service provider and then the other portion is being the beneficiary service, crypto service provider? But sunrise issue came about when different regimes implement crypto at its own pace, at its own time, differently from other regimes? When I want to communicate? The whole point of crypto is to be cross-border? I can send crypto over to another jurisdiction, say Singapore to United States, say for example, where I’m from, Bitstamp Asia wants to send over to Coinbase USA, for example? I will be able to do so. I just need to comply with travel rule? But complying with travel rule, I would then require the US to have a similar travel rule implementation or requirement as Singapore, for example? Because if there’s such requirement or no such incentive or motivation for the crypto service provider in US to oblige with complying with the travel rule, technically they wouldn’t do it? They wouldn’t have to do it and they wouldn’t do it because travel rule has all sorts of costs to it, the complexities of implementing travel rule. When I as a service provider in Singapore, I send a message, I’m technically sending to nobody? I can’t send to anybody.
How do I actually confirm that they are sending over to customer B as who they are saying on the beneficiary service provider? That is the first issue. I think if you’re in this space, you hear there is something very, very common, the sunrise issue. The sunrise came about because different jurisdictions have like, they come up, the sun rises at different times basically? I think the next thing that is difficult about the travel rule is interoperability, basically protocols? There are different protocols that exist for travel rule? Just your traditional finance, you have SEPA, you have SWIFT, you have FAST, you have ACH? for travel rule itself, for crypto itself, there are several ones in the space, I can drop some names, for example, you have TRUST, you have VERIFYVASP, you have SUMSUP, you have GRT, for example? And the biggest problem with this is that it’s not interoperable.
When I send a message via protocol A, I can’t communicate with someone who else who is not on protocol A? As a service provider, it is as a crypto service provider, it is so difficult for me to communicate with another crypto service provider because when I have so many different counterparties? Many different crypto service providers that I interact with, and then A is on protocol A, for example, B is on protocol B. Rainer, sorry to stop you here, but why is it that we can send an email, but you are saying that it is so difficult to send messages across?, so they are not going through an email? For all these protocols, it’s actually in a protected environment due to personal data, protection is required. Yeah, some examples of this, there are other implementations as well, such as like, they call this VASP attribution, whereby this protocol service providers, they have also integrated with other blockchain analytics so that they can help to identify, such as I give some examples, they have integrated with Chainalysis, they have integrated with Elliptic. So Chainalysis, Elliptic, they are able to identify this particular address belongs to Bitstamp, this particular address belongs to Coinbase.
When you want to send a message out to a particular address, if Chainalysis or Elliptic has identified this particular address and labeled it as such, then they will know, these protocols and switches will know where to send this particular data message towards. There will be one reason. The other reason that I mentioned will be personal data protection.
This has to be an enclosed environment? Yeah, so the thing about these protocols is like, so if I’m on different, if my counterparty beneficiary service providers, crypto service providers are on different protocols, essentially I have to integrate with all these protocols as well. And each protocol, the integration, it costs so much human capital and so much financial capital as well. It’s so expensive.
I mean, I’ve tried to integrate with some of them and the cost is really like, basically compliance costs for this are really, really not cheap. That’s how compliance officers get paid. Yeah,.
Okay. Yeah. It is not feasible to have all these different ones? I can share something as well.
Tt’s known in the industry as well, that say some of these players, when they get onto a particular protocol and then because I have to connect with them? Because my customers are either depositing from them or withdrawing towards them. I have no choice, but to integrate with this particular protocol? you will see a monopolistic effect that starts to happen in this, in the travel rule space. And I think from my personal opinion is that I think at one point of time, we will see consolidation.
The number of protocols out there will consolidate, we’ll have lesser, and then most of the major players will congregate on one of them for travel rule? just checking, can a licensed exchange in Singapore receive money from an exchange in a country which have not implemented travel rule because of the sunrise effect?. Yeah. So with regards to crypto? And travel rule.
Can you receive from another entity that does not have travel rule in effect? To be honest, the travel rule obligation actually, when MAS sets it out? The obligation is actually set on the originator. So it is the originator’s responsibility to send the message out? For the beneficiary, which is in this case, what you just mentioned, MAS has obviously acknowledged how difficult it is to get a response from another crypto service provider who is sending towards you? MAS has left it to the service providers on a risk-based approach, whether for you to receive and credit these crypto assets? as you know, crypto, when I want to deposit to an address, there’s no stopping it. I will say that the depositing will definitely happen.
It’s just whether you choose to do the crediting of this crypto towards your customer? I think another thing, so risk-based approach can happen in many ways. Some of the ways which the entities use is checking if there are any exposure on the blockchain? Any dirty exposure, tainted exposure towards dark web or whatsoever. This particular exchange, does it have any adverse news, for example? Yeah.
Some examples of how risk-based approach is being conducted before we credit the customers, this crypto. Yeah..
Yeah. The thing about travel rule is a lot of like, because of how difficult it is to implement it, how costly it is to implement it, a lot of service providers have ended up taking the wait and see approach. Let’s see the major players.
How’s it going to turn out? Where are they? Where are they like, which protocols are they onboarding with? And then before I take a step, and before I have to make a decision to implement with which one now, which I think it’s difficult because it just becomes a circular issue? Everyone just ends up with a wait and see approach. But I think that like, if you were to weigh both sides of the coin, I think you also understand how difficult it is as a business? To tell me that, okay,, for the sake of complying, I will implement with one, but yet I cannot communicate with all my counterparties? I think MAS has understood this as well. During my time with licensed crypto service providers in Singapore, I’ve received surveys from MAS about travel rule, the state of travel rule, the difficulties of implementing travel rule, of operationalizing.
Yeah. And I think that MAS is in a position whereby like, they want to understand the difficulties that like, the industry is facing and how to overcome this industry, overcome this industry problem. Yeah.
So yeah, I think I just want to share something about the Singapore’s approach to travel rule as well. Something unique that you wouldn’t see in FATF recommendation and other jurisdictions implementation of the travel rule? in the notice under the Payment Services Act, MAS did not actually explicitly call out for crypto service providers in Singapore to have to do something called the counterparty due diligence? in the FATF recommendation, they actually requested for crypto service providers to do due diligence on each other. So due diligence can be your licensing, can be your CDD, can be your customer due diligence, your processes, can be your data protection.
Yeah. Can be checks on your ultimate beneficial owners, your directors, do checks on adverse news screening, on blockchain analytics, for example, what is your risk exposure. So this is something interesting about the Singapore approach whereby they didn’t actually state that you have to do this? I think my own personal opinion when MAS did not set this up, I think is that MAS actually understands the difficulty in doing something this, having to have crypto service providers do due diligence on each other, for example.
But I think that in the industry, if some of the more well-known service providers VerifyVASP, Notabene, they have come up with some sort of their own due diligence questionnaire that they offer it on their platforms whereby you can either do it with them and then they’ll share it with their other service providers that are on board with them. Or Notabene, which is when you fill it in with them, you can publish it on your page and other people can review the information on your page as well? even though it’s not something that Singapore actually requires, Bitstamp Asia actually complies with this as well. Yeah.
So just as part of like, yeah, just something additional that Bitstamp Asia does? Yeah, so that’s about travel rule actually? next, I’ll move on to unhosted wallets? what is unhosted wallets?