In the wake of all the cryptocurrency exchanges that have imploded over the past year, including most notably FTX, it should be apparent that centralized cryptocurrency exchanges are centralized financial institutions that perform the same functions that banks provide and operate in a similar manner.

Centralized cryptocurrency exchanges take custody and control over customer deposits and allocate their customers ‘balances.’ They are custodians but aren’t inherently required to custody customer assets. Exchanges can technically do whatever they want with customer deposits, even if it violates their own terms of service.

This includes but is not limited to ‘lending’ out assets to high-risk entities, lending to ‘sister companies’, embezzling customer funds , purchasing speculative investments (e.g., NFTs), and a slew of other things that most people would be appalled if they knew exchanges were using customer deposits for such purposes given how they could easily lead to the exchange to insolvency whereby they are unable to pay customers their balances.

I wish I could say this type of activity was restricted to FTX, but it’s not; there are many cryptocurrency exchanges that engage in the same type of highly questionable practices. Some former, some still operating, and which we’ll get into later.

The Two ‘Types’ of Regulation for Cryptocurrency Exchanges

There are two distinct types of ‘fields’ or areas of regulation and compliance that are applicable so far as crypto exchanges. I will loosely refer to these fields as the ‘Use of Customer Assets’ field and the Anti-money Laundering (AML) field. While there is certainly some relationship between the two, we should treat both as separate issues to analyze and deal with. The former is the primary focus of this blog post.

Use of Customer Assets Regulation

With very limited exceptions, cryptocurrency exchanges are not regulated in this sense, nor is there appropriate oversight as to what exchanges do with customer deposits and customer assets. Exchanges have free reign and control over how they leverage customer assets or if they leverage them at all. There is no regulatory requirement that requires exchanges to keep custody of customer deposits, whether on a 1:1 basis or otherwise.

Exchanges are not regulated to ensure they store customer assets 1:1, but they are not subject to capital control requirements like banks. There are no regulations that prevent exchanges from operating on a fractional reserve basis whereby they lend out customer assets, and there is a lack of oversight regarding what exchanges can do with customer assets.

While it is true that banks don’t maintain custody of customer assets either and operate on a fractional reserve basis, and they lend out and leverage customer assets, banks are most certainly subject to regulatory oversight and are restricted about the types of investments they make with customer deposits and still need to maintain an appropriate reserve ratio to be able to fulfill customer deposits on a timely basis. They are also subject to ‘stress tests’ in the event of a bank run and/or unfavourable market conditions (which are not nearly as volatile and risky as crypto).

Furthermore, bank accounts are generally insured in most countries in the world. In the US, for example, bank account balances are insured by the FDIC for $250,000 USD per ownership category in the event the bank becomes insolvent and needs to file for bankruptcy, unable to pay out customer deposits. Banks pay for this insurance. There is no equivalent bankruptcy insurance for cryptocurrency exchanges at this time.

Additionally, there are also no security framework that exchanges are required to follow or adhere to; there are just best practices. While exchanges will often claim to store the vast majority of funds in ‘cold storage’ there is no regulatory requirement or oversight that requires most exchanges to do so. In the case of many exchange hacks, it’s been revealed that a concerningly large proportion of assets was stored in hot wallets (far more than what would be appropriate). There are also no security frameworks that exchanges are required to follow to ensure that funds are not stolen from cold wallets, as well as to prevent loss of customer assets via other methods (e.g., embezzlement, misappropriation of funds).

Simply put, in all these facets, banks are regulated and there is regulatory oversight. There is no such regulation for cryptocurrency exchanges. However, some exchanges elect to try and provide some self-imposed transparency to the general public (e.g., proof of reserves, statements of security audits), as we’ll discuss later.

Exchanges are currently responsible for deciding their own practices and are obligated to adhere to best practices. While many exchanges undoubtedly adhere to sound practices, some don’t.

Anti-Money Laundering (AML) Regulation

Cryptocurrency exchanges are Money Services Businesses (MSBs). MSBs, including cryptocurrency exchanges, are already regulated to varying degrees in almost all jurisdictions, but this regulation is focused on Anti-money laundering (AML), not the use of customer deposits. There are many different types of MSBs that are subject to the same type of AML regulations, which often include everything from loan providers, to casinos, to pawnbrokers, to precious metal dealers.

Regulations that are (or aren’t needed) in this respect, such as KYC requirements and suspicious transaction monitoring and reporting, are a somewhat different matter that is not meant to be the core focus of this article. Suffice to say exchanges are already regulated in such respects, although whether such regulations are appropriate or need changes is a separate issue that has been long debated well before the downfall of FTX.

Why a Cryptocurrency Exchange is the Equivalent of a Bank in the Cryptocurrency Industry

Cryptocurrency exchanges are functionally equivalent to banks for the cryptocurrency sector, in our opinion. Let’s look at how a cryptocurrency exchange actually works, from how it deals with customer funds to how it deals with trades and how that all ties into the applicable blockchains that the exchanges support.

From the Customer’s Perspective

We’ll start off with an example. Let’s say Alice has some Bitcoin in a self-custodial wallet, and wants to use 0.5 Bitcoin (BTC) from her wallet to purchase some Ether (ETH). Alice opens up her self-custodial wallet, and initiates a transaction for 0.5 BTC to an exchange deposit address that is associated with an exchange account of hers – let’s say with exchange as an example.

Alice goes into her account, looks up what address she needs to receive (or deposit) BTC to for it to be deposited ‘in’ her account, and then sends the 0.5 BTC to that address. Once Alice sends the transaction, she no longer has custody or control over the Bitcoin. The exchange does. The exchange will wait for a few confirmations on the applicable blockchain (typically 2-6 confirmations in the case of Bitcoin) and will then credit her account with 0.5 BTC.

At this point, Alice could do a variety of different things with the 0.5 BTC in her account:

  1. She could trade it, in whole or in part, for ETH (or any other cryptocurrency, frankly). The ETH could then be left on the exchange account, or it could be withdrawn, in whole or in part, along with any remaining BTC balance. The ability of an exchange to perform the withdrawal is dependent on whether or not the exchange has enough assets under its control to do so and whether or not they are solvent or in bankruptcy.
  2. She could trade it, in whole or in part, for fiat currency. The fiat currency could then be left on the exchange account, or it could be withdrawn, in whole or in part, along with any remaining BTC balance. The ability of an exchange to perform the withdrawal is dependent on whether or not the exchange has enough assets under its control to do so and whether or not they are solvent or in bankruptcy.
  3. She could leave the 0.5 BTC balance there and do nothing. However, Alice should keep in mind that eventually, she might want to ‘use’ or ‘realize’ this balance. When she does, her ability to do so will be dependent on whether or not the exchange has enough assets under its control to do so and whether or not they are solvent or in bankruptcy.
  4. She could immediately withdraw the 0.5 BTC, not having conducted any trade at all. The ability of an exchange to perform the withdrawal is dependent on whether or not the exchange has enough assets under its control to do so and whether or not they are solvent or in bankruptcy.

This is an overly simplified example – in reality, a customer may have many different deposits from many different cryptocurrencies, or they might not use self-custodial wallets at all and might just elect to keep all their funds ‘on-exchange.’

What I’ve described above is the perspective of the customer. But what exactly is the exchange doing with the money, and where is everything recorded? Below I’ll explain what happens both from the perspective of what happens on the blockchain and what happens internally at the exchange.

From the Exchange’s Perspective

When analyzing the specific blockchain data itself, when funds are deposited to an exchange deposit address, the exchange obtains custody and control of the cryptocurrency, and they credit an exchange account with the applicable amount of cryptocurrency that they have received accordingly. This credit should be thought of as a financial liability that the exchange has towards their customer.

In terms of what the exchange does with the BTC received to the BTC deposit address, it’s generally completely irrelevant and of no consequence so far as how it would be reflective of the customers’ assets. For example, one common thing that is normal for an exchange to do is forward funds from deposit addresses to a ‘hot wallet’ or ‘consolidation wallet’ that it uses as part of its business.

Any transfer from a deposit address to an exchange’s hot wallet is in no way reflective of what Alice has done with the 0.5 BTC balance that she has been credited. The on-chain link associated with her 0.5 BTC has been completely severed so far as what would be traceable on the Bitcoin blockchain. Everything is recorded on the exchange’s private ledger, not the blockchain. When Alice trades the 0.5 BTC for ETH, the exchange doesn’t move any assets, and there is no transaction visible on any blockchain. The only thing that changes is the exchange’s private ledger detailing how much BTC and ETH they owe and to whom they owe that BTC and ETH.

The balances on the exchange account are in no way visible to a third party, including a blockchain forensics firm like Cryptoforensic Investigators.

That being said, an exchange is not required to forward funds to a hot wallet of theirs. Let’s say Bob, another exchange customer wants to withdraw 0.49 BTC from his account. An exchange could use its ‘hot wallet’ to process such a withdrawal, but there is nothing to prevent an exchange from using the 0.5 BTC UTXO that the exchange has which had been sent by Alice.

This process is entirely normal, and there is nothing inherently wrong with it – this is because the 0.5 BTC has effectively been pooled with other BTC under the custody of the exchange, so what Bitcoin the exchange uses to pay Bob is wholly irrelevant to Alice and the balance on Alice’s account.

What’s important is that the exchange has a 0.5 BTC liability recorded as a ledger entry in their private ledger (which exchanges do – this matter is not at issue), which is not on the blockchain, AND that the exchange keeps 0.5 BTC somewhere that they can use to pay Alice back at a later date (or conversely whoever ends up purchasing the 0.5 BTC from Alice). That last part is the real catch since exchanges aren’t required to store customer assets on a 1:1 basis, nor is there any regulatory framework to oversee that exchanges do so.

If the process described above sounds similar to how a bank works (except for the blockchain), that’s because it is. When you ‘deposit’ a cheque, make a cash deposit or receive a wire transfer, the bank obtains dominion and control of those assets. The chequing account number is used to identify which account the bank should issue a credit to accordingly. The bank updates its (private) ledger accordingly, and the bank is liable to you for that balance.

A Macro overview of Customer Funds on Exchanges

We’ve provided an example of what happens to customer funds on a micro level. But what happens to customer funds at large, on a macro level? The reality is that many customer store funds on exchanges, which gives the exchange custody and control of large swaths of customer assets.

While it is normal for exchanges to move a large portion of the funds to hot wallets and then to cold wallets, customer deposits are essentially pooled and commingled from a technical perspective, and the exchange uses assets from that pool to pay out other customers of theirs when withdrawals are requested.

There are other entities select exchanges might reasonably need to send funds to as well, such as liquidity suppliers for example. These changes happen internally on the exchange’s private ledger, so it can be extremely difficult to differentiate legitimate exchange withdrawals from exchange customers from transactions that might be associated with funds being misappropriated or ‘lent’ by the exchange to other entities unless someone (in particular, a competent auditor) has access to the exchange’s private ledger and financials so they can audit accordingly.

While transactions going into and out of known wallets belonging to an exchange can be observed and analyzed via blockchain forensic analysis, the underlying nature and context of those transactions aren’t always going to be entirely clear to an analyst or auditor without corresponding private records that are recorded internally by the exchange. Hence the need for audits, capital control requirements, and regulation.

Why It’s Imperative that Cryptocurrency Exchanges Be Treated Similar to Banks

Just as with banks, it’s critically important for cryptocurrency users to understand that the money in their exchange account isn’t real; it’s not ‘real’ until, if, or when an exchange actions a withdrawal request made by the user. Exchanges have custody and control over customer deposits, so why should they not be regulated in the same way that banks are regulated?

It should be plainly evident that the primary goal associated with such regulation is to protect customer deposits from a range of risks that could lead an exchange to become insolvent and file for bankruptcy due to bad or highly questionable loans, fraud, misappropriation of customer assets, theft, etc.

It’s important for cryptocurrency users to have a place where they can safely buy, sell and even hold cryptocurrency assets without being worried about whether or not the exchange will be willing and able to give them their funds back when the time comes. This is critical for the growth and adoption of cryptocurrencies overall. It is simply impractical in our view to expect everyone to be able to self-custody their own cryptocurrency assets and engage in P2P trades to buy and sell those cryptocurrency assets.

This begs a few other interesting questions. First, why do cryptocurrency exchanges keep failing and shutting down? When an exchange shuts down (and this happens relatively frequently), it rarely happens in an organized and orderly fashion, and it’s incredibly rare for customers that had assets on the exchange to get all their assets back. In many cases, they end up getting nothing back. There are at least four major categories of reasons why and when an exchange may shut down.

  1. The exchange borrowing against customer assets. This could be to fund business operations, but it could also be to lend assets in an effort to generate a profit. When the exchange fails to recoup this money because loans go south or because they’re unable to make up the shortfall, it leads to insolvency and bankruptcy.
  2. The exchange trades and/or leverages customer assets in an effort to generate a profit. When it fails, it leads to insolvency and bankruptcy.
  3. Theft, either by an external actor or hacker, or internal actor, or embezzlement, typically by the founder(s) of the exchange. Or when exchanges suddenly disappear, taking customer funds with them, it’s effectively the same thing.
  4. Shutting down for ‘business reasons’ or ‘regulatory reasons.’ Shutting down for ‘business reasons’ is pretty much a catch-all phrase that could mean a whole slew of things. This could be because the exchange just doesn’t find operating to be profitable enough or because they find the regulatory environment (with respect to AML) overbearing. Sometimes when an exchange shuts down for such reasons, customers get some or even all of their money back.

With regards to situations #1 and #2, why do exchanges keep deciding to leverage or loan out customer assets? There is a laundry list of exchanges that have failed due to such reasons. Are exchange executives really not aware that sooner or later that it’s likely going to lead to failure?

The reason, in our opinion, is that exchanges have a financial incentive to leverage customer assets to significantly enhance their profitability which enriches the founders of the exchange. The exchange is even more enticed to leverage customer assets if the operators and founders of the exchange can’t or won’t be held personally or financially liable for debts the exchange owes its customers as a result of the limitation of liability . While not all exchanges engage in this behaviour, exchanges are financially incentivized to engage in this behaviour regardless of whether or not the exchange is paying users and ‘interest’ or ‘yield’ on any assets the customer has deposited with the exchange.

When people elect to store cryptocurrency on an exchange, there is a reasonable expectation that the exchange has possession of those cryptocurrency assets on a 1:1 basis and would be able to pay out their customers when a withdrawal is requested unless the exchange clearly represents that they are lending out customer assets to other entities (e.g., Blockfi, Celsius). Otherwise, why would it ever make sense to use a cryptocurrency exchange at all?

If exchanges are purporting to hold enough assets to cover their liabilities to their customers, and in the same currency (instead of holding assets in a different currency, like how FTT had billions of FTT on their balance sheet as assets, which became effectively worthless) why aren’t there regulations to ensure that exchanges actually do so?

Most exchanges claim to hold assets on a 1:1 basis. That is, for every 1 ETH they owe to their customer(s), they hold at least 1 ETH in storage. This is how people generally assume exchanges to (and should?) operate.

Another interesting question is whether or not exchanges should be allowed to operate on a fractional reserve basis (as banks do), provided they disclose to their customers as such and don’t make misleading statements suggesting they store assets on a 1:1 basis if they don’t. Should governments permit this type of behaviour at all, given the much higher risks associated with it?

Before delving into that question further, it’s first important to note that many of the exchanges that have filed for bankruptcy in the past year would already have been verifiably operating on a fractional reserve basis even if they haven’t explicitly stated as such. Celsius, Voyager and Blockfi were all money services businesses that allowed their customer to deposit money, and would pay out a financial return, interest, yield based on those customer deposits.

It was always well-known that these services loaned out customer assets – indeed, they would need to do so if they had any hope of being able to continue to pay their customers interest or yield on assets that their customers had deposited with them. It would thus be evident that the balances that customers had were not backed fully (on a 1-to-1 basis) by the exchange.

While it’s certainly likely that the assets the exchanges had on their balance sheet were worth at least as much as their liabilities to their customers at some point, those assets would not have been denominated in the underlying assets that their customers had (e.g. Bitcoin). Those assets were denominated in the form of loans in large part, many of which went south, resulting in insolvency and, ultimately bankruptcy.

If cryptocurrency exchanges that operate on a fractional reserve basis are going to continue being allowed, then it needs to be disclosed much more clearly that the exchange is operating fractionally, and engaging in  risky investments (like lending large sums of money to Three Arrows Capital, who, in turn, use those funds for risky day-trading and speculating on NFTs), and that the ability of a fractional reserve exchange to pay their customers back will depend on the ability of the lender’s to pay the exchange back.

Obviously, exchanges that operate fractionally are far riskier to use than exchanges that don’t. With those risks in mind, along with the fact that exchanges that disclose they are operating fractionally usually offer their clients interest (i.e., the client expects a healthy profit), it could reasonably suggest that such accounts should be considered should be considered securities.

Japan: Lessons Learned from Mt Gox

It is evident that exchanges, in general, cannot be considered to be a safe place for users to store cryptocurrency assets. Sooner or later, the vast majority of exchanges shut down. This is typically either because they loan out or leverage customer deposits and are unable to recoup such debts, or because funds are stolen from the exchange (either in a hack or by an internal actor).

Exchanges can be a safe place for users to store cryptocurrency assets if there is appropriate regulation and oversight to prevent these types of risks from coming to fruition. Interestingly, it appears that customers of FTX Japan will likely get all or at least the vast majority of their funds back.

This is due to sensible regulations that were put in place by Japanese regulations following the downfall of Mt Gox and Coincheck. These regulations required exchanges to hold 95% of assets cold storage and required an independent auditor to verify assets annually. This is what prevented FTX Japan from misappropriating customer funds. And sensible regulation and oversight can prevent such incidents like what has happened with FTX, Celsius, Blockfi, and Voyager from happening again.

A Regulatory Framework and Solution for Exchanges

In the wake of all the exchanges that have collapsed, it’s very likely that regulations will be introduced dictating what cryptocurrency exchanges can (and can’t) do with customer funds. However, this could still be years away. Additionally, whether the regulatory framework will be sensible or if it will be flawed is another area of concern. But it should be apparent that exchanges are in need of regulation to help prevent situations like FTX and Voyager from happening again (or at least make sure the customers are the ones that lose if the exchange fails).

There are lots of different regulatory policies that such a framework might conceivably include, such as annual audits (by a competent and independent auditor), reserve ratio requirements, limitations on the types of investments that investments can make with customer deposits (if exchanges are allowed to leverage them at all), a requirement to store say 95% of funds at minimum in cold storage, protections to prevent misappropriation of funds, requirements for exchanges to use licensed custodians to store funds in cold storage (e.g., ‘Coinbase Custody), and perhaps even requirements to have FDIC-like insurance coverage (to cover the risk of bankruptcy) to protect customer balances.

It’s too early to say what such a framework will or won’t include, but now is really the time to start thinking about it.

One of the many challenges to be expected is jurisdictional issues. Some cryptocurrency exchanges choose to purposely domicile themselves in jurisdictions that are known for lax regulations and lax compliance standards, with minimal AML requirements. Frequently the founders of these exchanges want to try and avoid any type of accountability and liability, so they will officially domicile their exchanges in countries like Seychelles. Granted, the exchanges generally have no physical presence in the country they domicile themselves in, and their ‘address’ and presence is generally little more than a mailing address.

Thus, a core issue remains how or if exchanges that operate from such jurisdictions can be brought under the same regulatory umbrella – even if many different jurisdictions start implementing such a regulatory framework, there will likely be some jurisdictions that don’t adopt any, and since there will always be some exchanges actively seeking lax regulations, one should not assume the all the major cryptocurrency exchanges are going to be reasonably regulated in five years time – very far from it.

And herein lies an additional issue – such regulations for compliant exchanges will mean that those exchanges will incur additional costs because compliance costs money. The more profitable it is for an exchange to operate in a non-regulated environment or jurisdiction, the higher incentive exchanges have to try and find a way to skirt regulations, whether through ‘jurisdictional gymnastics’ or otherwise.

Proof of Reserves

The concept of ‘Proof of Reserves’ as being a solution to ensure exchanges are solvent continues to be touted as a solution to prevent an FTX-like situation from re-occurring.

A few select exchanges have been conducting ‘Proof of Reserves’ audits for years now; it’s not a new idea. While ‘Proof of Reserves’ can be helpful and may be part of the solution, it is not without challenges, pitfalls, and misleading statements.

First, it’s critically important to understand that there is no universally accepted criteria that outlines the exact scheme and processes that need to be adhered to in order for an audit to constitute ‘proof of reserves.’ Most proof of reserve schemes usually involves an auditor aggregating customer balances into a Merkle tree, and ultimately a corresponding Merkle root. There are a variety of different processes and schemes that are utilized by auditors. The scope, quality, and processes associated with these audits should not be considered equal to one another. Some proof of reserve reports are utter garbage frankly, since the results of some schemes are prone to manipulation.

A prime case in point is Binance’s ‘Proof of Reserves.’ This is because in Binance’s Proof of Reserves, only assets under Binance’s control were verified. Binance’s liabilities were not verified. Thus, it would be fair to say that what Binance did could be considered a ‘Proof of Assets’ perhaps, but not Proof of Reserves; any suggestion otherwise is severely misleading and contorts the purpose of what Proof of Reserves is.

The point of Proof of Reserves, to begin with, is for the exchange to verify that they have enough assets to pay out their customers. Not to prove that they have some assets – of course the exchange has some assets under their control. FTX, Blockfi, Celsius and Voyager could just as easily do Binance’s Proof of Reserve scheme today, and they would all ‘pass’ because such a report would give no indication that any of these exchanges are insolvent.

Any exchange that elects to self-issue a Proof of Reserves report, without the existence of an external and competent auditor, is equally as pointless since there are a myriad of ways an exchange could elect to manipulate the proof of reserves process. Having an auditor is essential, and that auditor’s job is to ensure nothing is not merely to cross-check financials; it’s to ensure the process isn’t manipulated and to ensure the scheme that is employed is sound to begin with.

Mazars was justifiably concerned about the soundness of the scheme they were using in their audit of Binance which is why they put in a gigantic disclaimer stating, “[the reports] do not constitute either an assurance or an audit opinion on subject matter. Instead they report limited findings based on the agreed procedures performed on the subject matter at a historical point in time.”

While FTX was operational, FTX utilized the services of two major auditors. First, Prager Metis CPAs ‘The First CPA Firm in the Metaverse’ and Armanino LLP, the latter of which is the most well-known auditor that has frequently conducted Proof of Reserves audits. How could these accounting firms have failed to notice all the red flags and financial issues that FTX was having?

The most likely answer is that either the accounting firms either weren’t provided with the necessary financial records in order to discover irregularities, or the data they were provided was incomplete, misleading, or altered. Whatever the reason, it doesn’t reflect well on either of these firms, which are now facing a lawsuit over allegedly missing red flags that they should have been able to catch.

It appears likely that FTX simply used these two accounting firms as pawns, and only fed them financial information that they were comfortable giving them in order to get ‘rubber stamps.’ A core part of an auditor’s job is to ensure they aren’t being used as a pawn by their client. It is the auditor’s job to ensure the scope of work agreed upon is appropriate. And it’s the auditor’s job to be skeptical about the information they are provided with. If the auditor doesn’t do these things and/or isn’t competent and knowledgeable, then the audit is useless, except perhaps to the exchange that may be seeking to misrepresent themselves.

The Relationship Between Use of Customer Assets vs AML Regulation

Existing regulations that target money laundering aim to reduce exchange from being able to profit from processing illicit transactions. The market for illicit exchanges with ‘no questions asked,’ like Bitzlato, can be very profitable, which is why some exchanges choose to service this ‘sector.’

Likewise, exchanges that operate on a fractional reserve basis also do so for the purpose of generating higher profits — it’s ‘free’ money that can be leveraged, with potentially significant upside for the founders if leveraged appropriately and minimal downside (for them) if lost.

Having adequate compliance staff, policies and tools are all important to an exchange’s overall compliance program. The same compliance personnel that deals with suspicious activity and money laundering would generally be in the best position to internally assess their exchange’s own practices with regard to the use and storage of customer assets and are in a good position to ensure appropriate controls are in place to help prevent misappropriation of funds.

When an exchange doesn’t have competent and qualified compliance staff to deal with AML (such as Bitzlato for example, who has never once responded to any notification from Cryptoforensic Investigators), chances are there are not going to be adequate compliance staff and controls to ensure customer assets aren’t misappropriated.

Many cryptocurrency advocates are not particularly fond of banks or the banking system in general. But how much worse would it be if such banks were not subject to any regulation or regulatory oversight?