Japan’s FSA defends approach after Coincheck fraud

The Coincheck cryptocurrency fraud has rocked Japan, which had been the first country in the world to build a regulatory environment for crypto exchanges. The FSA regulator briefs Euromoney on how it built its rules and what Coincheck means for the future.

Journalists wait outside cryptocurrency exchange Coincheck’s office in Tokyo

Pity Japan. The country has sought to build the most sophisticated and inclusive regulatory environment in the world for cryptocurrency exchanges, one that marries supervision with a need to foster innovation.

Yet it has now been home to the two biggest heists in cryptocurrency history. Bad luck? Or has one state of affairs led to the other?

The theft of at least $500 million-equivalent of cryptocurrency from Tokyo-based exchange Coincheck in January has the Financial Services Agency (FSA) reeling. It is simultaneously trying to work out what happened, stop it from happening again and decide whether its regulatory approach is flawed.

The FSA has not spoken publicly about the heist, but two sources at the regulator briefed Euromoney at length at its Kasumigaseki headquarters in February, on condition of anonymity.

To understand the Coincheck situation one must first go back to the earlier theft, from another Shibuya-based exchange, Mt Gox. That involved a similar volume of cryptocurrency ($450 million, based on the value at the time) when 850,000 bitcoins were stolen in early 2014, 650,000 of which remain unaccounted for today.

Blind-sided by the theft, Japan immediately set about creating an environment that would protect investors without driving out a growing sector at a time when Japan needed growth.

“There was a sense of ‘we’ve been left behind in fintech and if we want growth, we have to stop being so protectionist’,” observes one banker in Tokyo. “The regulatory approach they developed for cryptocurrencies was caught up in that sentiment.”

The FSA tells Euromoney that Mt Gox was only one reason for developing the new standards and not the most important.

“The first perspective was anti-money laundering,” one source says, speaking to Euromoney through an interpreter. At the G7 summit in 2015, a discussion had taken place about the transparency of currencies, including cryptocurrencies. “There was an international requirement to take action against money laundering. Setting up a registration or licence system for cryptocurrencies was the first step.”

A document from the time shows that the measures had two principal goals: ensuring the trust of users – through the revised Payment Services Act – and money-laundering/terrorism financing countermeasures, through the revised Act on Prevention of Transfer of Criminal Proceeds. 

The problem was that by agreeing to regulate and license cryptocurrency exchanges, the FSA gave the whole sector a stamp of approval in the eyes of investors – Banker

The regulations came into effect in April 2017 and were considered accommodative. They set various requirements for identity verification, the reporting of suspicious transactions, safety management and separation between cash and virtual currencies, but they did not carry exacting capital requirements.

And they perhaps brought about an unintended secondary effect: they seemed to legitimize cryptocurrencies.

“The problem was that by agreeing to regulate and license cryptocurrency exchanges, the FSA gave the whole sector a stamp of approval in the eyes of investors,” says another banker. “There was a sense of ‘if the FSA is regulating them, they must be OK’.”

Is this fair? The FSA says not.

“This regulation system is not for cryptocurrencies themselves,” says a source. “This is a regulation imposed on cryptocurrency exchanges. So it’s not the case that we made sure that cryptocurrencies would be safe under this regulation, or that the Japanese government endorses cryptocurrencies.

“That’s not the case at all. This is just a regulation imposed on the exchanges so that they can take appropriate measures for money laundering and protection of users.”

One decision that has attracted scrutiny was that allowing existing exchanges to continue even when they were not yet licensed. Many, after all, pre-dated the new rules.

“With the enactment of the regulations, every operator has to have a registration with the FSA,” says a source at the regulator. “But there are several operators and exchanges which already conducted businesses even before the introduction of the law. If we tried to stop them from operating, that would cause a lot of problems, for consumers as well.

“With that consideration in mind, we decided to take a transitional period.” Under the terms of this transition, operators that were already up and running would be called “deemed registered operators”, pending formal licensing. “However, for those deemed operators, we impose the same regulations and rules for the licensed or registered exchanges, so we believe there is a certain appropriate level of supervision of these operators as well.”

One of these “deemed registered operators” was Coincheck. And its continuing unlicensed – or pre-licensed – status was not just a question of being stuck in the queue.

Belligerent

After the introduction of Japan’s rules in April, exchanges were given six months to register and Coincheck, which had been established in August 2012, was one of them, filing its application in September 2017.

By that stage, it was one of the biggest exchanges in the country and therefore the world, with 71 staff, operating, like most exchanges – and Mt Gox before it – from the tech-heavy Tokyo suburb of Shibuya.

Also like most exchanges, it was a touch belligerent towards the very idea of regulation. Its business development manager, Kaga Kawabata, gave an interview to Reuters last year, saying of the FSA: “They have no knowledge. Every year someone moves and it’s a big pain to educate them.”

In its first attempt to be licensed, Coincheck failed, apparently because of weaknesses in the exchange’s systems, although it has not been more specific about what those weaknesses were. The FSA called for improvements, but, in the meantime, did not stop it from doing business.

And then things went wrong.

Around 3am local time on January 26, a hack took place on the Coincheck exchange. Around 523 million NEM coins, worth just over a dollar each at the time, were transferred off Coincheck’s servers after the theft of a private key. The hack affected 260,000 investors.

Coincheck-screen-shot-600

The apology from Coincheck, posted on its website

By 5.25am, Coincheck had suspended deposits and withdrawals, and reported the theft to the police and the FSA. The FSA, in turn, ordered Coincheck to make a report to the FSA, “including the statement of the facts and the cause of the incident and what kind of measures they are taking to prevent this incident being expanded, and its impact on their financials”, another source at the FSA tells Euromoney.

The FSA says it received this report two days late, “but the content of the report was not sufficient. So on the following day we gave a business improvement order to Coincheck.”

This order, the source says, again asked Coincheck to report the cause of the incident, explain the management system and its responsibilities, and explain the establishment of a risk-management system.

The deadline for this was February 13, two weeks later, by which time a number of other things had happened. Coincheck had promised to refund everyone affected by the scam; the NEM development team, the engineers behind the specific cryptocurrency that was stolen, had ruled out a so-called hard fork, a change to the underlying blockchain protocol that would make previously invalid transactions valid; they had also tagged all the stolen coins, effectively rendering them impossible to use or resell without detection; and the FSA had made a site visit on February 2.

Euromoney’s visit to the FSA took place shortly after the February 13 deadline.

“So we are still in the process of checking all those requests we asked them in the business improvement order,” the source says. “We are now discussing with Coincheck what is the real cause, the root cause of the problem? Is it because of a failure of the system, or their lack of an appropriate risk-management system, or that their management people didn’t have enough understanding of the risk? We are still discussing with them.”

Storage concerns

In the meantime, the FSA has ordered all 16 licensed cryptocurrency exchanges, and 15 deemed exchanges – such as Coincheck – to make “an emergency self-assessment of their own system” and to report back. Those reports have been received and are being analyzed, accompanied by on-site inspections to several exchanges.

“We are going to verify their risk-management systems,” the source says, while also deciding if any further measures are required.

Consequently, the FSA will not be drawn on anything it is going to change, pending the results of these queries and inspections, but one change that is likely to take place concerns the storage of assets.

There is a crucial distinction between what are known as hot wallets and cold wallets.

Hot wallets involve the storage of cryptocurrency assets in a digital folder on a server. A cold wallet stores the assets in a way that is not connected to the internet, such as a USB drive. It is considered secure best practice to store assets in cold wallets, but the stolen assets in the Coincheck case were in hot wallets.

The FSA will not say whether the rules will be changed around storage of digital assets, saying they are still analyzing the responses from exchanges, but this would be an obvious step forward.

A more fundamental issue, however, is how one regulates cryptocurrency exchanges at all and even if one should do so. How does a nation regulate something that is inherently borderless? If one is to insist on risk management, what precisely are the risks to be managed? What are the parameters and how does one assess compliance with them?

“Each exchange has a different business model,” says a source at the FSA. “The scale and the characteristics differ. We are conducting hearings with those companies, the people in charge, so we can identify the particular risks they are exposed to and monitor those risks.

“Some exchanges deal with a great number of currencies and some with a small number. Based on the risk characteristics of the exchanges, we are trying to come up with appropriate measures for all exchanges.”

Asked for examples of reasons the FSA might not approve an exchange, the source cites measures to deal with cyber-security, the strength of the system to confirm identity and whether there are appropriately segregated account systems.

The source says there is no specific timeframe for coming up with its conclusions.

At the heart of it all, however, is a problem of being first. Many other regulatory bodies are believed to have been in touch with the FSA as they try to work out their own responses to an extremely challenging field.

As Euromoney reported last month, responses have been varied. Japan has sought to regulate and foster, China has banned, Korea seems to be wavering between banning and regulating, India says it is going to ban but still might regulate, and both Hong Kong and Singapore take the view that they will ignore the whole field – seeking to avoid giving legitimacy to something that might be used for money laundering – except where cryptocurrencies show the characteristics of securities, in which case they will be treated like every other security.

Being first makes Japan’s regulatory environment for cryptocurrencies the most sophisticated in the world by definition, simply because it exists at all. And many admire it.

“Japan is progressive,” says Navin Gupta, managing director for India at Ripple. “Of course it has had many ups and downs, but the regulator has always been clear. It is one market that stands out.”

However, that does not mean it is watertight. “In my view, it isn’t sophisticated at all,” counters one banker in Tokyo. “And the problem is people assume that it is.”

So the FSA has grappled to deal with an industry that it cannot ignore, but that it is still trying to understand.

“Our principle, as finance minister [Taro] Aso said, is that we have to make a very good balance between the promotion of innovation and protection of users,” says a source at the FSA.

“We recognize that because this business is advancing quite rapidly, it is critical to have good and close communication with industry organizations so we can come up with the appropriate environment.”

The problem for Japan, as it has now learned twice in four years, is that it is trying to come up with that environment for an industry that is already vibrant to the point of recklessness.