Big Banks and Crypto Exchanges: culpable or complicit?
***Basically my rant from various readings. Also, not a lawyer, AML compliance expert or security analyst***
Failures in AML and KYC
"Pig-butchering" scam (PBS) companies exist because of lax or no Anti-Money Laundering (AML) and Know Your Customer (KYC) implementation. They would open accounts in prestigious-sounding banks (e.g., HSBC, Standard Chartered or East West Bank) using shell companies, stolen identities and money mules. For cryptocurrency, they'd take advantage of uncooperative and unregulated cryptocurrency exchanges, especially Binance and Huobi. These exchanges notoriously employ “jurisdictional gymnastics”* under the cool-sounding “decentralized finance” (DeFi) to avoid any accountability, and play “compliance theater”** to mislead regulators and the public about their hollow AML and KYC practices.
From Chainalysis. Binance and Huobi are the 1st and ~5th biggest exchanges in the world by transaction volume, respectively, and the 1st and 2nd for dirty Bitcoins. Both together more than 50%! I bet it's worse now. https://blog.chainalysis.com/reports/money-laundering-cryptocurrency-2019
*Jurisdictional gymnastics - Nobody can figure out where to sue or to whom to complain about them because they're neither here nor there. e.g., Binance is proud of having no headquarters.
*Compliance theater - e.g., Making a show of asking for IDs and such, but NOBODY is really running checks on the back end; also puts out lots of blog posts about being on so proactive with regulatory compliance but actually do the bare minimum. But who's auditing? See above point.
Cryptocurrency investigator and grown man Richard Sanders pretending to be Taylor Swift to create an account with Huobi. It worked. 🤷 https://bravenewcoin.com/insights/kucoin-huobi-kyc
Checklists vs Considering Risks
Sure, banks and cryptocurrency exchanges may be investing a lot to protect against robberies and cyber attacks, but as in plenty of cases of PBS show, the worse ones have no safeguards at all against obviously suspicious transactions and new accounts. The human element is the most disregarded factor. Oftentimes the victims' transactions under undue influence are so obvious to third parties that have access to the financial history and information of the victims --the banks and exchanges. Many PBS victims typically send an accumulated total of $50k to more than $200k within a month, typically for the first time, and nearly all their net worth. These should have sounded alarms. (See Quincecare Duty below.)
On the other end, there is gross failure in due diligence on the receiving scammers’ financial institutions, which a cursory investigation could have easily caught. Compliance/anti-fraud staff are over-worked, under-resourced and low-priority. Most banks do the minimum AML/KYC that's required, check all the boxes, then make more money. They don't invest enough in staff doing the due diligence needed and in intelligent AML monitoring. Arguably, this is criminal negligence and makes them complicit in the economic and emotional devastation of many PBS victims.
Why is the burden of proof on victims to get a court order / police request to freeze accounts? Nine times out of 10, they're scam victims asking for help (and HK banks know it). Banks & exchanges have all the legal right to freeze accounts, but they err on the side of not scaring away new customers. The burden should be on the receiver to explain why/where/how they got a bazillion dollars wired from overseas within 2 weeks of opening an account. And it's not as if they don't know what's going on, but they still slow-walk their way through all the procedures. They should take into account different risk levels for every account.
Deceptive trade practices.
Cryptocurrency exchanges have made possible the largest and fastest outflows of many people’s savings, on what for all intents and purposes are illegal overseas remittances that exchanges are not regulated for. Scammers coach victims to open accounts in well-regarded platforms like Coinbase, Binance, Crypto, Gemini, etc. to instill confidence. Then, in all cases, these supposedly reputable exchanges absolve themselves of all responsibilities when their new customer-victims turn to them for help, while reaping all the profits from the price increases and transaction volumes caused by the scammers. The exchanges are far from “well-regulated” if they are completely defenseless and willingly oblivious to Authorized Push Payment (APP) scams. Their inaction also border on deceptive trade practices, in that they market themselves to the common consumer as being bank-like, but without the actual customer safeguards and accountability demanded of traditional banks. No fund reversal, no protection and no insurance for fraud.
Finally, it is always the perverse case that victims who were scammed the most, drained of every penny, are the least able to afford lawyers in asserting their rights against corporate malfeasance. One can easily see scenarios where justified cases of AML and KYC infractions could not be pursued by victims due to lack of resources and knowledge. Hence many illegitimate transactions and foreseeable tragedies committed by these financial institutions continue to increase...
Quincecare Duty - well-established principle that requires financial institutions to take reasonable care and skill when executing client’s instructions. If a bank executed a customer’s order to transfer money knowing it to be “dishonestly given, shutting its eyes to the obvious fact of the dishonesty or acting recklessly in failing to make such inquiries as an honest and reasonable man would make”, it would be in breach of this duty of care, even if the payment was done according to the terms of the mandate, and so the bank can be liable to its client for damages in negligence. “A financial institution which wrongly pays money away when it has no authority to do so will usually be treated as if it had paid using its own funds, not those of its customer.”
- Originally posted in private subreddit r/HumanNotaPig