The New York Attorney General released a report on September 18, 2018 on the results of the Virtual Markets Integrity Initiative, which was launched earlier in the year by the New York State Office of the Attorney General (OAG) with the intent to increase transparency into the operations of virtual currency trading platforms (Crypto Exchanges) to “protect and inform” residents who trade virtual currency assets, and to inform enforcement agencies.

As part of the initiative, the OAG sent questionnaires to 13 companies that operate Crypto Exchanges, soliciting information about each company’s: (i) ownership and control structure; (ii) user fees and basic operations (e.g., jurisdictions where trading is permitted, specific virtual currencies traded, and whether trading on margin is permitted); (iii) trading policies and procedures; (iv) outage and trading suspension policies; (v) internal controls; (vi) privacy and money laundering procedures; and (vii) procedures utilized to safeguard user assets.

The OAG’s findings in the report are based on the information provided1 in response to these questionnaires as well as information that is publicly available. The OAG indicated that it hopes the report will encourage Crypto Exchanges to adopt policies that will “ensure the integrity of transactions,” and further expressed an expectation that “responsible” Crypto Exchanges would expand the “transparency, security, fairness, and accountability” of their businesses as the industry matures.

OAG Identifies Three Areas of Concern in Virtual Currency Markets

In the report, the OAG identified “pervasive conflicts of interest,” a “lack in protections from abusive trading activities” and “limited protection” of user assets as areas of concern affecting virtual currency markets as a whole. Within each of these areas of concern, the OAG discussed the following specific concerns:

Conflicts of Interest: The OAG found that the companies operating these Crypto Exchanges carry on various lines of business that give rise to potential conflicts of interest. For example, certain Crypto Exchanges serve as an exchange while also operating at the same time as a broker-dealer, a money transmitter (including converting currencies), a proprietary trader of virtual currencies and/or an issuer of proprietary virtual currencies. In addition, the OAG found that potential conflicts of interest may arise when the employees of Crypto Exchanges are permitted to trade virtual currencies in a personal capacity and have access to non-public information that could create an unfair advantage over a platform’s users.

Abusive Trading Activities: The OAG found that Crypto Exchanges have not implemented “serious” efforts to protect users from abusive trading activities, noting that Crypto Exchanges often lack the robust trading surveillance capabilities that securities exchanges have. The OAG also emphasized that most Crypto Exchanges offer specialized services that appear to cater to professional, automated investors, which may disadvantage retail users. Looking more broadly, the OAG found that there is no overarching mechanism in place for analyzing suspicious trading activities across more than one platform.

Safeguarding Client Assets: The OAG found that the protections the Crypto Exchanges claim to have in place to protect user assets are “often limited or illusory,” due to a combination of audit issues peculiar to Crypto Exchanges, the risk of hacking or unauthorized withdrawals, and uncertainties about insurance coverage of virtual currencies. The OAG found that several Crypto Exchanges reported having independent audits performed on their virtual currency holdings, while some Crypto Exchanges did not report having independent audits performed. The OAG further noted that there are no generally accepted methods for auditing virtual assets, and the Crypto Exchanges that have regular audits lack a “consistent and transparent approach” to auditing virtual assets.

OAG Discusses Additional Investor Considerations for Selecting a Crypto Exchange

In the remainder of the report, the OAG discusses information that investors may want to consider when choosing a Crypto Exchange, and provides a comparison of various aspects of the Crypto Exchanges’ operations and policies and procedures that relate to: (i) jurisdiction, acceptance of currencies, and fees; (ii) trading policies and market fairness; (iii) managing conflicts of interest; (iv) security, insurance and protecting user funds; and (v) access to user funds, suspensions and outages.

Jurisdiction, Acceptance of Currencies, and Fees

The OAG noted that Crypto Exchanges that lack effective client identification procedures may be unable to prevent unauthorized access by users who violate the platform’s policies (including with respect to market abuse and anti-money laundering). The OAG found significant variation in the information that Crypto Exchanges require users to provide, under their respective “know your client” programs, before gaining access to the platforms. One Crypto Exchange reported requiring users to provide only a name, email address, and mobile number.

The OAG also noted that although several Crypto Exchanges reported prohibiting trading virtual currencies in certain jurisdictions, all but two of the Crypto Exchanges did not appear to have the necessary safeguards to prevent unauthorized access to the platforms by residents from such prohibited jurisdictions. In particular, the OAG noted that users could mask their physical location by accessing the platforms through a virtual private network (VPN). The OAG found that only two of the Crypto Exchanges claimed to block users from accessing their platforms through a VPN.

Regarding fees, the OAG found that the Crypto Exchanges employ a flat trading fee model, a “maker-taker” fee model, or some combination of both models, which typically include volume discounts to high-volume users. Tying into the OAG’s concern about abusive market practices, the OAG noted that the maker-taker fee model tends to give professional traders an advantage over retail users and potentially creates incentives that can distort markets. The OAG also found that certain of the Crypto Exchanges reported offering special fee schedules to certain traders pursuant to confidential bilateral agreements. In addition to trading fees, the OAG found that some Crypto Exchanges charge deposit and withdrawal fees, which may create disincentives for users to switch Crypto Exchanges.

Trading Policies and Market Fairness

The OAG noted that Crypto Exchanges are not registered securities exchanges or alternative trading systems. As a result, they operate without the regulatory restrictions that apply to those entities. In addition, users access the platforms directly rather than through a broker-dealer, which is typical of a securities exchange.

The OAG found that certain of the Crypto Exchanges permit sophisticated users who employ automated trading strategies to connect to the platform’s servers and access high-speed direct market data feeds. The OAG also found that certain Crypto Exchanges also offer specialized order types that may be useful only to professional, automated traders. The OAG noted that special access to information, specialized order types, and the aforementioned maker-taker fee model create incentives for certain professional investors to use the platform, but may also distort virtual currency markets and disadvantage retail users.

Tying into the OAG’s concern about abusive trading activities, the OAG found that although all of the Crypto Exchanges indicated that they permit automated trading, several of the Crypto Exchanges had no policies in place to prevent abusive trading practices by automated traders (such as the practice of placing multiple illusory orders to manipulate market prices or to slow a Crypto Exchange’s responsiveness). The OAG noted that some Crypto Exchanges reported monitoring automated trading behavior, while others reported limiting “message rates” submitted to the platform – either by monitoring the message rates or using programs to cap the message rates – or suspending users who submit an excessive number of small orders within a prescribed period of time. The OAG also noted that while each of the Crypto Exchanges prohibits a user from opening more than one account to prevent fraudulent trading, certain of the Crypto Exchanges’ know your client programs were not extensive enough to enable the platforms to effectively prevent users from trading through more than one account. The OAG also noted that one Crypto Exchange has formed a partnership with a securities exchange to enhance its market surveillance capabilities and that another platform is seeking a similar partnership.

Managing Conflicts of Interest

The OAG’s discussion with respect to conflicts of interest included several additional items not already discussed in their description of the three broad areas of concern, including a greater need for transparency into how Crypto Exchanges determine which virtual currencies to list. The OAG found that Crypto Exchanges generally do not appear to have objective methods for determining which virtual currencies to list on their platforms, in contrast to the practice of securities exchanges of publishing listing standards. Only one Crypto Exchange had disclosed a framework of factors it considers when determining to list a particular currency on its platform. The OAG noted that while certain Crypto Exchanges appear to use objective measures (such as market capitalization) as part of this determination, none articulated a consistent methodology for determining how to apply the measures to decide to list a currency. The OAG urged Crypto Exchanges to consider publishing their listing standards to facilitate transparency for users.

The OAG also found that Crypto Exchanges generally do not publish their fees for listing a virtual currency. Only one Crypto Exchange reported receiving compensation in the last two years for listing a virtual currency, noting that the listing fee was based on the virtual currency’s market capitalization. Certain other Crypto Exchanges indicated that they had in the past received administrative fees in connection with listing a currency, but had since ended the practice.

Tying into the OAG’s concern about conflicts of interest arising from employee trading, the OAG found that Crypto Exchanges differed in their approach to allowing employees to trade virtual currencies and monitoring their trading activities:

  • One Crypto Exchange reported prohibiting employees from trading on its platform.
  • Some Crypto Exchanges reported requiring all employees, or just the employees who have access “sensitive data,” to obtain clearance before trading.
  • Some Crypto Exchanges reported prohibiting employees from trading on other Crypto Exchanges, noting that it would be difficult to monitor employee virtual currency trading activities that occur on other platforms.
  • Two Crypto Exchanges reported requiring regular disclosures from employees regarding their trading history and holdings.
  • One platform reported limiting employee trading to a two-day window once a quarter.
  • Several Crypto Exchanges did not restrict employee trading in any capacity, with some claiming that employees did not have an “informational or other advantage over other traders.”

The OAG also found that the owners of and investors in several Crypto Exchanges are large holders of the virtual currencies that trade on the platforms, creating an inherent interest that the value of such virtual currencies increase and potentially creating a conflict of interest between the owners and investors and the respective platform’s users.

Further, the OAG found that several Crypto Exchanges traded virtual currencies on their platform for their own account. Of particular note, the OAG found that the proportion of trades that occurred on a platform that are attributable to a Crypto Exchange’s proprietary trading activities varied substantially, with one platform reporting that it was responsible for nearly 20% of the volume of executed trades on in its platform.

Security, Insurance and Protecting User Funds

Physical safeguards appeared to be one area where there was substantial similarity of practices across the Crypto Exchanges. The OAG found that all but two of the Crypto Exchanges require two-factor identification to access user accounts as a default. Two Crypto Exchanges went a step farther to provide additional protection, by enabling users to designate certain internet protocol (IP) addresses that are permitted to access the user’s account and blocking access to any IP address that has not been designated. Most of the Crypto Exchanges reported securing virtual currencies in “cold storage,” a practice of storing private keys to the virtual currency in a manner that is not connected to the internet and therefore less susceptible to hacking attempts.

Regarding insurance, the OAG noted that industry standards with respect to insuring virtual currency trading have yet to be developed. Some Crypto Exchanges indicated in their responses a concern that available insurance policies do not adequately address issues specific to virtual currency trading. The OAG also noted that certain Crypto Exchanges have publicly announced that they are developing insurance products to protect users against virtual currency transaction risks.

Access to User Funds, Suspensions and Outages

The report flags platform outages as an area that has prompted customer complaints. The OAG noted that Crypto Exchanges have at times experiences outages that resulted in users being unable to access their accounts and trade. The report indicated that, in certain instances, the Crypto Exchanges did not adequately respond to user complaints, or fully inform users about the source of the outage, how long the outage was expected to last, or what would happen when trading resumed. However, the OAG noted that most platforms notify users when an outage occurs, and some publish a history of previous outages.

The OAG also found that Crypto Exchanges handled outages differently, noting that some Crypto Exchanges cancel pending trades when an outage occurs, while others do not. The OAG found that Crypto Exchanges generally prohibit users from withdrawing assets during an outage, although one platform reported permitting customers to withdraw assets during daily scheduled maintenance.

More broadly, the OAG found that many Crypto Exchanges do not adequately disclose their procedures for transferring virtual assets from platform accounts to private wallets or processing withdrawals.

Conclusion

New York was a first-mover in the area of regulating virtual currency businesses, and it has adopted a comprehensive licensing requirement (known as a “BitLicense”) for companies engaging in virtual currency business activities in New York that seeks to address some of the issues identified in the report. However, the BitLicense regulatory framework does not expressly require such companies to disclose to users the company’s conflicts of interest, and does not expressly regulate the types services identified in the report as potentially disadvantaging retail users. While the report aims to address concerns that the OAG sees in virtual currency markets by arming investors with important information, it remains to be seen whether voluntary disclosure going forward will be viewed by the OAG and other government agencies as adequately addressing the issues identified in the report.