Experts say crypto firms have a responsibility and moral obligation to have anti-fraud controls in place, and that this will help create trust in the industry.
As cryptocurrency becomes more mainstream and physical borders become less important, digital frauds and scams have become increasingly pervasive.
In 2021, scammers around the world took home a record USD 14 billion in cryptocurrency, a 79 percent increase from a year earlier, according to data from blockchain analytics firm Chainalysis.
Scam losses rose 82 percent to USD 7.8 billion worth of cryptocurrency in 2021. More than USD 2.8 billion of this came from ‘rug pulls’, where developers build crypto projects that appear to be legitimate before they ultimately disappear with investor money.
Crypto theft rose to USD 3.2 billion in 2021, up 516 percent from a year earlier. Of this, 72 percent of the stolen funds were taken from DeFi protocols.
The data shows, however, that the growth of legitimate crypto usage has far outstripped the growth of criminal usage, indicating that illicit activities are becoming a smaller and smaller part of the overall ecosystem.
Still, the crypto industry has and continues to suffer from a “branding issue”, says Payal Patel, APAC Vice President for Risk and Compliance at Circle. “We have seen crypto businesses that operate with little to no controls in place.”
“But rather than waiting for regulators to tell us what we need to do to manage fraud, it’s really beholden on those of us that work in this space to collectively consider how we can pragmatically address this risk.”
Early in the pandemic, most of the fraud in the crypto space targeted new account applications, with fraudsters hiding amidst a broader mass migration to digital that occurred during the lockdowns.
According to Stephen Topliss, Vice President for Market Planning, Global Fraud and Identity at LexisNexis Risk Solutions, while some exchanges still report up to 30 percent of their new account applications as being fraudulent, this focus has somewhat shifted.
“Fraudsters today are also looking to exploit the accounts that were already set up during the pandemic. The focus is now more on account takeover, so firms really need to pay attention to the whole customer lifecycle,” he says.
This shift has been a challenge for many crypto firms, particularly those who have limited in-house expertise to address fraud risks and fraud prevention tools that can’t easily respond to shifting fraud attack vectors.
Besides fraud targeting account and wallet access, fraud risk in the crypto sector has been a key concern in relation to new token offerings and listings, including NFTs.
A case in point, the world’s largest NFT marketplace, OpenSea, said earlier this year that more than 80 percent of the NFTs created using its free platform were “plagiarised works, fake collections, and spam”.
For crypto exchanges, the risk of a new token issuance being fraudulent can be addressed through more extensive vetting processes, says Chris Holland, a Partner at Holland & Marie.
“But there is also a key role for investor education, to prevent customers from being exploited by scammers offering so-called ‘risk free’ crypto investments that often turn out to be too good to be true.”
In the ‘traditional’ financial sector, regulators are increasingly expecting banks to do more to protect their customers from falling afoul of fraud, Holland says.
“These expectations have increased beyond helping customers identify fraud, however. Regulators in many jurisdictions want financial institutions to also take responsibility and share in any customer losses from fraud.”
In the UK, for example, a public outcry over high rates of scams where customers were tricked into moving money into fraudsters’ accounts prompted banks in 2019 to establish and sign up to a voluntary code under which customers are compensated for Authorised Push Payment scams, except for cases where there is evidence of clear negligence.
The UK government now plans to introduce legislation that will make it mandatory for banks to compensate customers for these types of fraud linked to payments authorisation. “The message here for the crypto industry is that if you don’t manage your fraud, then either the public or the regulators will come after you,” says Topliss.
In Singapore, the regulator has already imposed curbs against advertising by crypto firms, based on its view that crypto is unsuitable for the general retail public. “We could see something similar happen to protect customers against fraud if regulators feel the industry is not doing enough,” Holland says.
Responsibility to Combat Fraud
So far, regulators in most jurisdictions have not kept pace with fraud developments in the crypto space, expecting industry players to themselves be forthcoming with solutions to address this risk, says Circle’s Payal Patel.
Firms in the crypto space have a responsibility to their own organisation to do as much as possible to prevent financial losses for customers, she says.
For a company like Circle, which operates one of the world’s most popular stablecoins (USDC), this obligation is reflected in its efforts to help merchant customers prevent payment reversals they may not have the ability to cover.
“Our fraud team sits within our compliance function and works very closely with our AML team. But it also works very closely with our engineering teams, to ensure we are able to really assess the use of our platforms, and to translate this information into typologies and meaningful goals for us that address our unique risk exposure.”
Circle is also obliged to keep payment reversal rates below certain network threshold set by its payment processing partners Mastercard and Visa.
According to Topliss, the crypto industry is looking to address risks that cut across fraud and AML at the same time, which is “quite different from what we see when we’re engaging with traditional banking clients, who are typically focused on one or the other.”
However, he adds, there is an increased recognition in both the banking and crypto industries that both fraud prevention and AML can use a lot of the same digital intelligence and technology, even if models and operating procedures may differ for the two purposes.
Holland says AML is still the number one priority for most regulators, but that there are also expectations for firms to protect retail customers from other risks, including fraud. “So, having technology and systems that allow you to track both is ideal.”
Given this increased focus on protecting retail customers, crypto firms have been evolving their approaches to fraud prevention, from one that heavily focuses on strong multi-factor authentication, to one that applies a risk-based approach that leverages data, digital intelligence, and more sophisticated analysis.
“Firms indeed need to move to a more flexible and layered defence against fraud,” says Topliss. “Firms that are setting static fraud rules or using pure multi-factor authentication are going to be at greater risk than those that have more modern and flexible systems in place, which allow for easier recalibration of fraud models based on emerging trends and help to really identify higher risk transactions.”
There is a real risk of crypto firms losing their connection with the traditional financial system if they don’t correctly address fraud risk. “This is not only bad for crypto firms, but for customers as well, who simply end up looking for alternative ways to on-ramp to crypto, which can often be less regulated and higher risk,” Topliss says.
“There is a real opportunity for crypto firms to brand themselves as organisations that are really focused on protecting consumers. This could have a huge positive business impact.”
Similar to how the banking industry has been increasingly sharing intelligence and working together, there is an opportunity to take similar measures against fraud in the crypto space, Topliss says.
“I also see an opportunity for crypto firms to work together to fight fraud. Ultimately, as fraud becomes more sophisticated and more coordinated, we will ultimately need to fight these networks used by bad actors with an industry-led network of our own.”
For Patel, having the right controls in place to protect users from fraud will help create trust in the industry and boost mass adoption. “But more than that, having these controls in place is part of our moral obligation,” she says.
To hear more from Stephen Topliss, Payal Patel, and Chris Holland, watch this on-demand webinar.