The ever-evolving, colourful and extreme Web3 space full of possibilities is shrouded in regulatory grey areas. Recent history makes it clear that the stakes for doing so are high. The nearby $9 billion hack associated with Block’s alleged compliance shortcomings is a sobering reminder of this necessity. Kwame Nkosi, a blockchain commentator, discusses the plight that Web3 startups face. He points out the tremendous lessons that can be learned from this high-profile case.

The Block Debacle: A Case Study in Compliance Failure

The action against Block highlights the serious potential outcomes with a lack of strong compliance enforcement. Regulators point to several key failures that contributed to the vulnerabilities exploited in the hack:

  • Transaction Monitoring Backlog: Block reportedly allowed a massive backlog in transaction monitoring alerts to accumulate, ballooning from approximately 18,000 alerts in 2018 to over 169,000 by 2020. This backlog suggests a systemic failure to adequately monitor transactions for suspicious activity.
  • Insufficient AML Infrastructure: The company's AML infrastructure seemingly failed to keep pace with its rapid growth. This lag created vulnerabilities that regulators believe may have allowed illicit financial activity to go undetected.
  • High Thresholds for Suspicious Transactions: Block's system set alarmingly high thresholds for flagging suspicious bitcoin transactions. It allegedly ignored wallets with terrorism exposure below 1% and only blocked transactions once exposure exceeded 10%. These lenient thresholds raise serious questions about the effectiveness of their AML protocols.

These failures illustrate why it is absolutely imperative for all Web3 startups to lead with compliance from day one. Yet a reactive approach to regulation is just not tenable in today’s innovative, fast-paced environment.

Navigating the Regulatory Maze: Key Challenges for Web3 Startups

There are plenty of reasons why Web3 startups encounter a perfect storm of regulatory hurdles when it comes to compliance. Our industry is changing — and changing all the time. As a result, jurisdictions often have no clear regulatory guidance or an abundance of conflicting directives creating a difficult at best, duplicitous at worst landscape. Here are some key areas of concern:

  • Evolving Regulatory Frameworks: The regulatory landscape for cryptocurrencies and Web3 technologies is constantly evolving. New laws and regulations are being introduced regularly, creating uncertainty for startups trying to stay compliant.
  • Token Classification and Securities Law: Determining whether a particular token is classified as a security is a major legal concern. The consequences of misclassification can be severe, potentially leading to significant fines and legal action.
  • Compliance with Data Protection Laws: Web3 startups must comply with data protection laws such as the EU's General Data Protection Regulation (GDPR) and the California Consumer Privacy Act (CCPA). This includes obtaining user consent for data collection and processing, as well as implementing appropriate security measures to protect user data.
  • Anti-Money Laundering (AML) and Know Your Customer (KYC) Protocols: Implementing robust AML and KYC procedures is essential for Web3 startups to prevent illicit financial activity. This includes verifying the identity of users, monitoring transactions for suspicious activity, and reporting suspicious transactions to the appropriate authorities.
  • Navigating Multiple Regulatory Frameworks: Web3 startups serving users across borders must navigate a patchwork of regulatory frameworks. This can be particularly challenging, as different jurisdictions may have conflicting or overlapping regulations.

Building a Compliance-First Culture: Practical Steps for Web3 Startups

So, how can Web3 startups operate in this highly regulated minefield and not fall into the traps that caught Block? Kwame Nkosi suggests a proactive, compliance-first approach, emphasizing the following key steps:

  1. Understand Regulatory Requirements: The first step is to thoroughly understand the regulatory requirements that apply to your business. This includes identifying the relevant regulatory bodies and the specific laws and regulations that govern your activities. For example, entities must meet regulatory definitions, such as the US definition of a money services business (MSB), and register with relevant authorities, like FinCEN. Cryptocurrency businesses operating in certain jurisdictions, like New York State, must obtain specific licenses and follow rules set by regulatory bodies, such as the New York Department of Financial Services (DFS).
  2. Implement Robust AML and KYC Controls: Strong AML and KYC controls are non-negotiable. A robust AML and KYC framework is crucial for crypto-linked entities to demonstrate compliance maturity. For financial institutions, verifying a customer's SoW from cryptocurrencies requires a combination of traditional due diligence and modern blockchain intelligence. AML investigators should recognize red flags similar to traditional transaction monitoring, such as multiple users sending funds to an address not associated with any known service.
  3. Implement Risk-Based Approaches When Engaging with Third-Party Providers: Crypto-involved companies should be exacting in implementing risk-based approaches when engaging with third-party providers. More comprehensive due diligence is particularly important when a third party supports higher-risk activities, including critical activities.
  4. Prioritize Cybersecurity:
    • Conduct regular audits by qualified cybersecurity professionals to identify and address vulnerabilities in smart contracts, decentralized applications (dApps), and other Web3 systems.
    • Establish a robust access control system to ensure that only authorized personnel can access critical systems, information, and assets within your Web3 infrastructure.
    • Enforce the use of strong passwords and implement multi-factor authentication (MFA) for all accounts and wallets.
    • Explore the potential of decentralized identity (DID) solutions to enhance security.
    • Consider storing cryptocurrency assets in hardware wallets.
  5. Seek Expert Legal Counsel: Given the complexities of the regulatory landscape, it is essential to seek expert legal counsel from attorneys who specialize in cryptocurrency and Web3 law. These attorneys can provide guidance on compliance matters, help you navigate regulatory challenges, and represent you in legal proceedings if necessary.

The Block case should be a warning to all Web3 startups. By prioritizing compliance, implementing robust security measures, and seeking expert legal counsel, Web3 startups can navigate the regulatory landscape effectively and build sustainable, responsible businesses. The future of Web3 depends on it.