In early 1848, in the middle of a Californian river, gold flakes were discovered. Not even a year later, an influx of approximately 300,000 migrants arrived and staked their claims in the hopes of making their fortunes. Indeed, many fortunes were made; many lost, and some even stolen. The Californian Gold Rush was well and truly born.

Almost 160 years later in 2009, Satoshi Nakamoto released the first decentralised cryptocurrency, Bitcoin. As the Californian Gold Rush was not the first gold discovery, Bitcoin was also not the first cryptocurrency – with online currencies such as B-Money and Bit Gold conceived in the decade before, but never fully developed. What made Bitcoin special was its decentralised nature, and the technology framework underpinning it – Blockchain – helping to keep transactions secure.

The beginning of a new gold rush?

I can’t help but think of the 4th century Roman poet Aurelius Clemens Prudentius who said “hunger for gold is made greater as more gold is acquired”. We saw this during the Gold Rush. We see it now.

In a little over a decade the number of cryptocurrencies has risen dramatically from the single Bitcoin to around 5,000 types of coin (albeit approximately only 1,600 may actually be traded). In addition to Bitcoin, we now have Litecoin and Ethereum. Depending on your political leanings, there is also TrumpCoin and PutinCoin. Even the Wu-Tang Clan have their own, the self-titled Wu-Tang Coin (actually the second Wu-Tang affiliated crypto exploit – after launching crypto firm Cream Capital in 2017 and an Ethereum-based token not long after).

Global research company Statista suggests there are some 44 million Blockchain wallet users as at the end of December 2019. Some users have multiple wallets, containing anywhere between a few hundred or a few thousand dollars-worth of crypto, in a mix of different digital currencies.

There are currently anywhere between 310 and 380 active exchanges operating in a wide variety of jurisdictions. Although peer to peer transactions can be performed, exchanges are widely used for trading, buying and selling of cryptocurrencies. Operating in much the same way as a traditional stock exchange, they are largely unregulated. They rely heavily upon the immutable and trust-based nature of Blockchain to ensure transactions are correct and valid. We’re talking about 200,000 to almost 500,000 transactions a day.

Whilst predicting the future of cryptocurrencies and their exchanges may be unwise, what is entirely predictable – and what we are already seeing – is the need for greater scrutiny, transparency and security.

Easy pickings in a fledgling market?

Crypto exchanges are far from infallible with high profile failures such as Mt. Gox and Cryptopia collapsing as a result of systems breaches, leading to the theft of digital assets. The insolvency of Canadian exchange QuadrigaCX, and more recently FCoin in February 2020[1] further highlights the precarious position an exchange can find itself in. In 2018 a total of over USD$2bn of cryptocurrency was estimated lost through fraud or theft[2], a staggering number which presumably would have resulted in greater media exposure or regulatory scrutiny had it been “lost” through the traditional financial systems.

So how can crypto exchanges establish a solid controls framework to identify and mitigate risk, satisfy regulators and give customers peace of mind?  Earlier this year Grant Thornton’s global crypto specialists held a Crypto Summit in Tokyo to discuss exactly these issues.

Cryptocurrency falling through the cracks

What was made clear is that the regulatory approach to exchanges varies widely, with cryptocurrency falling through the cracks of established controls like Anti-Money Laundering legislation in many jurisdictions. For instance, the State of New York requires an organisation wishing to conduct cryptocurrency activities to obtain a “Bit License”[3], whereas New Zealand – home to Cryptopia (which was one of, if not the largest exchanges in terms of coin types traded) – has no such requirement.

Anti-Money Laundering legislation[4] regulates Australian digital currency, while in the United States it is recommended that exchanges gather and share information about the originators and beneficiaries of transactions (the “travel rule”). Crypto exchanges are held in the same category as traditional money transmitters, therefore the regulations that apply should also apply to crypto exchanges.

Step one towards better controls

In the face of varying jurisdictions, we believe that as a minimum, cryptocurrency exchanges should undertake relevant Systems and Organisation Controls testing[5], best practice testing commonly referred to as ‘SOC’. In broad terms, the key reports in this suite (SOC 1, SOC 2 and SOC for Cybersecurity) look at the description of controls and operational effectiveness regarding financial control, data security, privacy and cybersecurity risk management.

Grant Thornton LLP (our member firm in America) was recently engaged by Coinbase, a US based cryptocurrency exchange with more than 30 million users, to undertake two examinations of their systems (specifically SOC 1 and SOC 2). Coinbase has traded approximately USD$150bn worth of cryptocurrency and is the first exchange to achieve these certifications, which in turn will provide its clients peace of mind that it collects, processes and holds all data and digital assets to the highest possible standards and security.

Whilst the world of cryptocurrency isn’t about to challenge the “traditional” financial systems (yet), cryptocurrency and most importantly Blockchain technology is here to stay. To paraphrase Prudentius: “the hunger for more crypto grows as more crypto is made”. Regardless of whether you are a new or established exchange, now is a good time to consider reviewing how effective your controls really are.