Binance has become the world’s most prominent crypto player thanks to its snubbing its nose at regulation. When people in the digital-asset industry call for better governance, their appeals do not move Binance.
Led by CEO Zhao “CZ” Changpeng, the company’s strategy has been to skip town when it ended up in regulators’ crosshairs: from China to Japan to Malta, and with offices distributed in other don’t-ask don’t-tell jurisdictions – but also in Singapore.
This week, on Wednesday, Binance revealed it had been the victim of a sophisticated theft. Hackers got their hands on API keys and two-factor authentication codes, before downloading 7,000 bitcoins ($40.7 million) out of client hot wallets in a single strike.
Binance claims to trade the equivalent of almost $1 trillion daily. This is an inflated figure: according to BitWise Asset Management, in a March 19 filing with the U.S. Securities and Exchange Commission, Binance probably trades $110 million in average daily turnover.
Nonetheless it is by far the biggest exchange, far ahead of Bitfinex ($38 million ADV), Coinbase ($27 million) or any other.
This inflation of numbers is in line with the industry: according to BitWise, 81 exchanges reported a total AVD of around $6 billion but in reality the figure is probably $273 million. But only the largest exchanges, including Binance, exhibit tight trading spreads and other signs of genuine liquidity.
Exchanges need to raise the bar in order to reduce the perception riskMurray Wood, Aon
But whereas nine out of the top 10 biggest exchanges are regulated under America’s FinCEN (a unit of the Treasury department) as money service businesses, Binance is the one that is not. Its KYC and AML procedures are considered inadequate compared to other exchanges. More: it happily lists tokens that are deemed securities in the U.S., Hong Kong or Japan, making its refusal to abide by regulation possibly illegal in those jurisdictions (the company says it does screen out citizens of the U.S. and some other markets).
Binance’s cowboy attitude has helped it win the lion’s share of the crypto market. But as the rest of the industry looks for growth to institutional money, even retirement funds, Binance’s strategy may not be sustainable. Moreover, as it has become so big, the company is more likely to end up in the crosshairs of securities regulators and tax authorities.
Life for Zhao and his team could get uncomfortable. Getting hacked, therefore, is likely to complicate the executives’ long-term strategy for dealing with the long arms of the law.
Who gets hurt?
At a conference yesterday in Hong Kong organized by BC Group (at which DigFin was a media partner), people in the digital-asset space said the hack, though not huge in absolute terms, would be a blow to the reputation of the industry’s leading player.
But the firm hasn’t suffered much in trading terms. The overall market stabilized, with the price of Bitcoin recovering a temporary setback.
As crypto goes to cloud, it will need hardware solutionsIan Christofis, nCipher
The price of Binance’s own token, BNB, was down -7.4% in U.S. dollar terms yesterday, to $20.56 (and down -6.3% against Bitcoin) but this is a blip against what’s been a stellar performance since the crypto market’s slump in early 2018. In fact, BNB is trading near its bubble highs.
(Binance gives trading discounts to people who also hold its coin, which some investors believe makes it valuable, although it could also be ruled a form of equity – another regulatory puzzle.)
Kudos for responding
Some industry execs are sympathetic. Noting the professionalism and the patience of the Binance heist, Chad Lynch, cybersecurity software engineer at Seoul-based Horangi Cyber Security, noted that even well-resourced organizations will fall prey to state-sponsored attacks.
Urszula McCormack, partner at law firm King & Wood Mallesons in Hong Kong, noted that the Binance team had reacted responsibly, reporting the hack right away and being transparent about the situation. (Our story’s image is taken from yesterday’s video featuring Zhao in a Q&A about what had happened – this may seem de rigueur in established industries, but many crypto exchange execs, like the crew at Bitfinex, often prize anonymity in the face of bad publicity.)
The best solution is to hold your own assetsBen Soong, Ledger
And while Binance may not be known for its zeal in AML checks, it has for the past year been seeding its own rainy-day fund out of trading commissions, which should pay for most of the losses; Binance says it will cover the rest.
Whatever the outcome for Binance, the real damage of this attack is likely to fall on others: the rest of the digital-asset industry that is trying to establish its professionalism and legitimacy with regulators and investors.
Murray Wood, Singapore-based head of financial specialities for Asia at insurance broker Aon, says it’s already hard for crypto-companies to give insurers the perception of safety. Actuaries struggle to price risk or estimate probabilities around digital assets. He reckons fewer than 10 percent of companies in the digital asset space are insurable.
“Exchanges need to raise the bar in order to reduce perception risk,” he said, citing BC as an example (the group operates ANXOne, an institution-facing exchange).
Crypto is unique in that both its users and the cloud infrastructure can be attackedChad Lynch, Horangi
The Binance hack shows that even the biggest exchanges are still operating retail-level operations instead of the deep, sophisticated tech and procedures that banks have honed over decades.
Banks too get hacked, of course, and if hackers are determined enough, they can breach anyone’s defenses. Binance succumbed to a phishing campaign, in which someone internally opened attachments loaded with malware.
But digital-asset players have, in general, ignored security in their rush to conquer markets and deliver products. Many are now transferring their computing needs to cloud vendors, which opens up yet new vulnerabilities.
“As crypto goes to cloud, it will need hardware solutions to protect private keys,” said Ian Christofis, managing principal consultant at nCipher Security, in Hong Kong. Too many rely just on software to handle cyber-security, but software is complex. “It’s hard to know what’s protected.”
Ben Soong, head of Asia Pacific at Ledger, which manufactures hardware storage devices, says the bear market in crypto has made exchanges even more reluctant to invest in security; and regulators, which so far have yet to come up with a formula to license crypto trading venues, have not set out standards. He thinks this will change when banks and institutional investors start to allocate money to digital assets.
The real vulnerabilities right now, Soong says, is not the lack of hardware but sloppiness in how different organizations communicate. Whether it’s a trader sending a message to the exchange, or an exchange leveraging unsecure APIs to make accessing hot wallets more convenient, or someone going through the steps of recovering a lost key, there are a growing number of ways hackers can attack a vault.
“The best solution is to hold your own assets and don’t keep them with the exchange,” Soong said. Which may be true but is anathema to many banks and investors that rely on third parties as fiduciaries.
“Crypto is unique in that both its users and the cloud infrastructure can be attacked,” said Horangi’s Lynch. At the end of the day, managing people is even more important than the tech. Binance succumbed, after all, to someone opening a toxic attachment (so far as we know). “We need to improve the user experience when it comes to handling cryptographic secrecy.”
What’s the real threat to crypto?
There is one last area that has so far gone unremarked by the professional elements in the industry, but was noticed by the crypto trading and developer communities right away.
That’s Zhao Changpeng’s revelations via Twitter that he and his team had considered a “rollback” of the Bitcoin protocol, in order to “cancel” the fraudulent transactions.
Doing so would require 51 percent of the networks’ hashing power – its miners and mining pools – to agree.
Zhao immediately added that he was against the idea because it would destroy Bitcoin’s credibility.
This isn’t unprecedented: “hard” forks occur when the developer and mining community split on fundamental issues. Ethereum faced the same problem when in 2016 someone hacked Genesis DAO, an early version of a crypto venture fund. The debacle ended in a hard fork, with those rejecting a rollback left to create Ethereum Classic. Bitcoin also has variants, such as Bitcoin Cash.
But Zhao’s comments didn’t suggest he would have needed to enter a long campaign to generate a rollback, as happened with DAO. Rather, he said it would take a few days. Moreover, he said $40 million wasn’t worth splitting the Bitcoin community. But at what amount would he have forced a rollback?
More importantly, just how much power does Binance – which thumbs its nose at regulators in the name of decentralization – have in what’s meant to be a decentralized network?
Hong Kong offers crypto exchanges path to regulation
But the SFC’s Ashley Alder also declares war on bitcoin futures traders.
Ashley Alder, the CEO of Hong Kong’s Securities Futures Commission, is blazing a path to regulation for crypto-trading platforms.
It offers crypto exchanges a route to becoming licensed, provided they trade at least one virtual asset that is deemed a security. The SFC is therefore taking a huge step toward the institutionalization of digital assets, and giving some operators the chance to use a Hong Kong base to distinguish themselves globally.
At the same time, however, Alder said the SFC intends to take action against bitcoin futures operators, particularly those marketing high degrees of leverage.
“We’ve been concerned for some time about platforms offering virtual-asset futures contracts to the public,” Alder said on stage at Hong Kong Fintech Week. He cited these contracts for being extremely volatile, high risk, and difficult to value, all exacerbated when exchanges offer enormous amounts of leverage, and charges that some of these platforms engage in manipulation by changing trading rules during the lifetime of a contract.
Alder says the SFC will go public with such risks, and warned that those who offer bitcoin futures may be in breach of the Securities Futures Ordinance or the Gambling Ordinance – in other words, engaging in criminal activities.
OKEx has been one platform accused of changing its trading rules mid-contract, according to the South China Morning Post.
Path to licensing
But the big news from Alder is the decision to legitimize those crypto exchanges that can meet the SFC’s traditional compliance requirements for brokers and market operators, opening the possibility they can receive a Type 9 license for exchanges.
Some crypto exchanges hailed the move. BC Group called it a “watershed moment for financial services in Asia and institutional adoption and trading of digital assets.”
Worldwide, the only regime for requiring licenses for crypto exchanges is the state of New York, which in 2014 issued its BitLicense for any entity carrying out virtual currency activities in the state or for New York residents.
Circle, Coinbase and Square are among those license holders.
But what Hong Kong is doing is far more ambitious. First of all, the SFC does not recognize bitcoin as a currency, but it acknowledges the existence of a broader realm of digital assets that is rapidly permeating the traditional world of finance.
The Libra catalyst
It was Facebook’s June announcement of its Libra project, the most prominent of stablecoin ventures, that really galvanized the SFC, however.
“These [stablecoins] claim to have a mechanism to stabilize their value by backing a virtual token with fiat currencies, commodities, or a basket of other crypto assets,” Alder said. “They not one hundred percent stable, but they are in contrast to a crypto asset such as bitcoin which has no intrinsic value whatsoever,” which is why bitcoin and other alt coins are volatile.
Libra has lit a fire beneath central banks, financial regulators and politicians, because Facebook’s reach means Libra can be adopted globally very quickly. Although the consortium backing Libra has since lost prominent members, Alder said, “The Libra project has at least galvanized regulators across the world to look at the opportunities and the risks in digital assets. That is a complete change from the relatively relaxed attitude of last year.”
Instead, officials around the world realize they need a coordinated response involving many domestic authorities responsible for financial supervision, consumer protection, privacy, data, anti-money laundering and other functions – not to mention an international coordination.
“Libra and similar ideas have raised such fundamental issues about the digitalization and potential privatization of money that they’ve already inspired the beginning of a new global, multilateral approach,” Alder said.
The SFC’s plan
So the SFC is taking the initiative to generate progress on creating a structure to regulate crypto exchanges. There are dozens of these operating in Hong Kong; because there’s been no regulation to date, they all operate beyond any investor-protection compliance.
At last year’s Fintech Week, Alder announced regulation for brokers and fund managers, but this excluded the platforms where most people go to access or trade virtual assets.
The SFC is releasing terms and conditions for exchange operators to meet the traditional standards for trading venues around custody, market manipulation, KYC, AML and insurance, along with guidance on fitting these to blockchain, hot and cold wallets, protocol forks and airdrops.
But the new rules will still leave gaps, which require new legislation to address. Platforms that totally avoid listing or trading securities tokens can continue to avoid regulation. Nor will the SFC have the authority to take legal action against operators for market misconduct if they remain outside its supervision. “Essentially it’s a framework allowing a platform operator to opt in to regulation,” Alder said.
“This is just an interim measure…The game-changing proposals involving stablecoins are likely to be a catalyst for accelerated thinking on a globally consistent set of regulatory expectations.”
What Citi Ventures’s incubator seeks in Asia
Victor Alexiev, the regional lead at D10X, talks about the technologies transforming institutional business.
Victor Alexiev is Singapore-based Asia-Pacific lead for Discover 10X (D10X), the new product incubation arm of Citi Ventures. He joined in 2018 and now covers incubation, programs and strategic partnerships for Citi’s institutional clients group.
D10X launched in the U.S. in 2016 to foster innovation from within the bank, encouraging lean-startup thinking as well as coordinating third-party build, buy or partnership decisions with other parts of the bank and its clients.
The following is a transcript of an interview with DigFin, which has been edited for style and conciseness.
DigFin: What kind of innovative models are you trying to develop?
Victor Alexiev: In Asia, it’s about new products and new services in the ICG [institutional] part of the franchise, so the projects we work on are mainly B2B and B2B2C. We’re not just looking internally. We also try to partner with technology companies as we find pain points they address.
What kind of business models are you looking for in this region?
Finding solutions for Citi’s markets, commercial and investment bank business.
Why not for the consumer side, which is such a big part of Citi’s P&L?
We do have D10X in our consumer business for North America, but not in Asia, at least not at this stage. In Asia, consumer fintech and quite fragmented and competitive, and my personal view is that you will need to put in a lot more resources in order to achieve meaningful results.
Is innovation within a huge bank, particularly if you’re focused on B2B – is that an oxymoron?
Yeah, a lot of people think that innovation with corporations is too slow. It’s true in part, as we have to go through a lot of compliance, sourcing and H.R. checks. But we’re looking after companies and people’s money. But once you identify a product fit, you scale much faster. I’m here to build something meaningful within a large institution that has a global footprint.
Within B2B, what kind of ideas are you looking at?
Most projects are new models of customer engagement. Our most public project that was built and rolled out via D10X is Proxymity, an end-to-end proxy voting platform offered to custodians, that directly connects issuers and investors in real time.
Customer engagement sounds very, um, consumery.
A lot of corporate and institutional business platforms for banks is clunky. Or it’s based on business models that just seek to skim basis points by processing large volumes. What will next-generation banking look like? What happens if banks become platforms for others to create value? What do direct-to-consumer models look like for our transaction or investment banking?
So even at the corporate level, you need better customer engagement.
That’s right. For example, an increasing number of clients want to consume our products via an API instead of calling our salespeople. We’ll still need salespeople but we have to be realistic that our evolving client expectations demand a different experience.
What does engagement mean? Can you give me an example?
We’re finding, for example, that buy-side clients are less interested in reading a full research report. But they’re very interested in parsing the underlying data that made that report. Decisions are becoming more quant-driven, so we don’t need to offer as many products. It’s about helping our clients make data-driven decisions and providing them with data-driven products
Is that just a matter of better product design?
No, it means we need to transform the entire organization, to be an end-to-end digital driver – “customer engagement” can’t be just about our front office. “Digital” is about culture and people.
I often hear about banks changing their culture, changing the ways they do business, the mindset – yet the rhetoric doesn’t describe the reality. At best it’s a partial change.
There’s an increasing urgency within banks in general. Margins are thinning, and there is a realization, or a willingness, to transform. We’re trying to speed up the process by providing examples of what “good” looks like.
Where have you implemented new solutions so far in Asia?
Initially we rolled these out in our markets and securities services business. We focused on custody, securities services, equities, and foreign exchange. Gradually we’re bringing new technologies to spread products, corporate banking, investment banking and transaction banking.
And within those divisions, what parts of Citi are you focused on? Operational efficiencies?
Efficiency is important but lots of departments are already looking at this. I also see at other banks a lot of innovation labs doing proof-of-concepts that may not reflect the actual business needs. The projects I work on all have separate, independent P&Ls, and are focused on client-centered new value creation.
You had mentioned client engagement at the institutional level. What are your clients asking help with?
Long-only funds want data to help them with things like modeling ESG portfolios (for environmental, social and governance standards). More short-term trading clients want data-centered models to take faster data-driven decisions.
We explore questions like what do next-generation pension funds look like? What about insurance? How do we support sovereign funds in managing impact-oriented portfolios?
You’re not big on blockchain consortiums and such?
We are, if it meets business needs. We participated in Komgo, a blockchain consortium for documentation in letters of credit that finance commodities trades.
What are the particular technologies that you’re trying to adopt?
Machine learning, APIs and blockchain are the three deep, transformative domains. For these to flourish requires a bigger internal transformation, a broader regulatory understanding of them, and a cultural mindset change.
That’s a lot. Any anecdotes you can give, to make that a little more concrete?
We’re about to publish with ASIFMA a white paper on STOs [securities token offerings] exploring what it would take to make these go mainstream. Our takeaway was interoperability. A fintech can issue a real-estate token, say, in their local jurisdiction, operating under the same local regulation for securities or property. But how do you open that to international investors, or institutional investors, or create a global marketing capability? The complexity quickly goes up. The same goes for, say, using A.I. with certain clients for real-time pricing and execution of F.X. or overnight collateral. What does that mean, how could it change the market? We’re exploring use cases, doing experiments – to do it right, we have to get out of the lab.
Are you finding lots of B2B technology companies in Asia who fit into these needs?
There are few startups that are enterprise-ready, globally scalable and that could deal with our clients. They need to be either close to the customers – meaning they already have insight, client integration of lots of data – or have differentiated tech that it is scalable, high performance, and can help banks solve specific problems.
But I’m bullish on tech in Asia. We’re seeing the dawn of Asian tech: the technology itself is maturing as companies shift from copy-and-paste to developing more core tech. And we’ve seen more B2B fintech move from trying to compete with us to partner with us.
Hope for handling corporate actions?
The industry is shifting from evolutionary fixes to transformational change.
DigFin moderated a webcast last week on the topic of using new tech to handle the thorny old problem of processing corporate actions. Mention “corporate actions” and you mostly have ops and tech people at financial institutions reaching for aspirin, or something stronger.
Corporate actions are anything a publicly traded company does that impacts its securities, debt or equity. Even straightforward things like a stock split come in all different flavors. There’s no one cone to hold all this ice cream. Banks, brokers, fund managers, and trading venues have invested zillions into processing transactions, but corporate actions is always “the poor cousin”, as Dean Chisholm, Hong Kong-based COO for Asia Pacific at Invesco, put it during the webcast. And because of the complexity, vendor solutions have been too expensive.
Mention ‘corporate actions’ and you have ops and tech people reaching for aspirin, or something stronger
But the industry can’t ignore corporate actions. Alan Jones, Singapore-based head of business development for Asia at SmartStream Technologies, pointed out that corporate actions today represent the highest point of risk to operations. As firms look to scale their businesses – with new markets, new products to handle, and an ever-increasing variety of actions to handle – they need to deal with this final barrier to straight-through processing. Do that, they can then begin to add value, like analytics on top that can give investment firms, for example, a view as to how good a job their service providers are doing.
The good news is that technology is evolving to the point that automating corporate actions is looking possible. The biggest enabler is cloud computing. Cloud isn’t just about saving on cost, noted David Fodor, Sydney-based head of business development for financial services at AWS. It’s about scalability and flexibility. Moving to cloud computing is the precursor to handling the vast amounts of data required to come to grips with something like corporate actions.
There’s no one cone to hold all this ice cream
Cloud is just a starting point, though. One challenge is that corporate actions involves many players, said Satyan Patel, senior VP for global client development at Hong Kong Exchange. Stock markets like HKEX connect to depositories, custodian banks, securities brokers, data vendors and investment firms. And then you have the issuers themselves, whose announcements are often in the form of unstructured data (like text on a PDF). The good news is that, beyond firms’ own IT spend, the finance industry is gradually adopting new standards, like ISO 20022 for messaging. That will help reduce the amount of unstructured data.
However that still leaves a lot of data of questionable integrity out there, which defies manual processing. Francis Breackevelt, chief operations head for Asia at BNY Mellon, in Singapore, said the full range of new technology needs to be brought to the fore. Whereas for years, transaction processing was an evolutionary process, he thinks the industry is at a point of major change. From simple robotics to natural-language processing and other forms of artificial intelligence, firms are on the cusp of tackling the variety of corporate announcements. They are looking at distributed-ledger technology to enable industry-wide processing.
Corporate actions processing isn’t going to be solved like flipping a switch. It requires a critical mass of industry player involvement, guidance from regulators, confidence in the data, greater adoption of enabling tech like cloud, and successful implementation of A.I. Then all of that needs to be implemented to the extent great enough to bring processing costs down, a lot. But fintech is making possible the goal of automating corporate actions in a way that until now has been just a dream.