Why Compliance at an Online MSB is so Challenging

Back in the day

I opened my first checking account in 1997. My dad drove me to our local credit union (I was only 15) where I showed my student ID and we both signed the application. I received a debit card about 10 days later and was then free to buy anything that my $5/hour minimum wage job allowed. Gaining access to a debit card and the VISA network involved taking an hour out of my day, sitting in front of a representative, showing my identification, and handwriting an application.

Fast-forward nearly 20 years later, where companies like Coinbase, PayPal, Venmo, Square, and other online money services businesses (MSBs) provide many of the same types of services that, traditionally, only banks did. There aren’t any more lobbies to wait in or paper applications to write on. The increased demand for online services, from banking to shopping to entertainment, means that there is additional demand for these services to innovate and improve on each other. Opening an account on any service needs to be quick and easy to attract users. However, this isn’t always compatible with federal or state regulations.

Nearly all MSBs are subject to the following laws & regulations:

• The USA PATRIOT Act
• The Bank Secrecy Act (BSA)
• Regulations of the Office of Foreign Assets Control (OFAC)
• The Gramm-Leach-Bliley Act (GLBA)

This is only a partial list and doesn’t include the various regulations around lending, securities, and foreign currency exchange; nor does it include state-specific regulations. Operating solely online doesn’t excuse a company from complying with the same regulations as a brick-and-mortar business. What’s more, online MSBs are actually backed by these brick-and-mortar banks, who have their own internal compliance programs and terms of service to abide by.

Federal regulations

To cite just one of the above examples, know your customer (KYC) laws have been around, in some form, since the BSA was enacted in 1970. In 2001, the Patriot Act brought about some massive changes. The new requirements strengthened the information gathering necessary at account opening, which now requires some level of verification around who you say you are. The level to which this is applied varies depending on the risk rating that is assigned to an account (another Patriot Act requirement). This process doesn’t seem quite so intrusive when you’re sitting in front of a bank representative. Providing your ID doesn’t involve sending a copy through the internet & waiting for verification, and discussions regarding your expected account use and source of wealth (common questions designed to address risk) don’t involve back-and-forth emails. In the age of near-constant phishing concerns, getting an email asking you to explain your transactions and where your money comes from should naturally be treated with a high level of skepticism and concern. Finding consumer-friendly ways to get honest, good-faith responses to these questions can be very difficult and is crucial to complying with KYC, BSA, and Patriot Act obligations, even if they seem intrusive.

One of the complaints we hear is that Coinbase is asking questions that not even their bank would ask. This is because your bank already knows! Standard ACH transactions are required to include the recipient information in the transaction detail, so analyzing your transaction activity is relatively easy. When I use my card to buy something from Amazon, the transaction on my statement says AMAZON, so there really isn’t a question about who is on the other end of the transaction. For an MSB that conducts transactions on a digital currency blockchain, like Coinbase, these things are not always easy to discern, which is why it is sometimes necessary to reach out and ask the questions directly.

It’s the little things

Essentially, what makes MSB compliance so challenging for online companies is that the laws were written at a time when the specific requirements weren’t particularly difficult for a bank to implement. If your customer already expects to spend an hour setting up their account, what’s an extra 5 minutes? If you can already see the merchants and counterparties your customer is sending to, you don’t need to ask what the transactions are for. If you can see your customer’s direct deposits, you know what their source of funds is (82% of Americans use direct deposit). Not to mention the fact that having a bank account is an essential part of everyday life; you’re going to complete the process one way or another. However, when your customer expects to spend only 10 minutes setting up an account, or gets an email asking questions about account activity and income, these suddenly become big hurdles, and the potential customer may give up on your service entirely.

No standard template

KYC requirements are just one example of federal regulations aimed at protecting the financial system as a whole. State-specific regulations are aimed at protecting consumers, and may require small tweaks to processes, clear complaint and dispute resolution procedures, additional financial requirements like surety bonds, and detailed record-keeping. This means that there can be up to 52 different regulatory schemes to abide by (including D.C.). No small task!

We want to do it our way AND the right way

Coinbase is dedicated to bridging the gap between Finance 1.0 and Finance 2.0, and this means coming up with unique, digital solutions to a lot of traditional, pen-and-paper requirements. Despite the myriad regulations on the books, we strive to meet or exceed every one (more on that here), this helps protect our users, our employees, and the digital currency community. If you think you can help us create the digital compliance framework for the future, check out our open compliance jobs!

Big thanks to Reuben, Sarah, Daniel, Linda, and Michael for their input!