Friday, 19 December 2023

Navigating the Digital Tide: Strategies and Compliance in

Cryptocurrency Adoption for Modern Business

Prepared For GRANT THORNTON

Prepared By XIMENA RODRIGUEZ, RODRIGO MARTINS & MICKIE GUINEA
 1

Table of Contents

Chapter 1: Introduction 2

Chapter 2: Virtual Asset Legislation in Spain 5

2.1 Background 5
2.1.1 Anti Money Laundering in Spain 5
2.1.2 Main Powers and Regulatory Bodies 6
2.1.3 Challenges Tackling AML/CTF in Spain 6
2.2 National Legislation 7
2.2.1 How is CryptoCurrency Classified in Spain 7
2.2.1.1 Law 6/2023, of March 17, of the Securities Markets and Investment Services 7
2.2.1.2 National Stock Market Commission (CNMV) 8
2.2.1.3 Bank of Spain 8
2.2.2 Anti Money Laundering and Terrorist Financing Provisions for VASPs 9
2.2.2.1 Law 10/2010 of 28 April, On the Prevention of Money Laundering and Terrorist
Financing 9
2.2.2.2 User Verification (Normal Due Diligence) 10
2.2.2.3 Beneficial Ownership 11
2.2.2.4 Transaction Monitoring and the Business Relationship 12
2.2.2.5 Due Diligence 13
2.2.2.6 Simplified Due Diligence 13
2.2.2.7 Enhanced Due Diligence 14
2.2.2.8 Politically Exposed Persons 16
2.2.3 Regulators and Oversight 16
2.2.3.1 The Executive Service of the Commission for the Prevention of Money Laundering
and Financial Crimes​(SEPBLAC) 16
2.3 Supranational Legislation 17
2.3.1 Markets in Crypto-Assets Regulation 17
2.3.3 Anti Money Laundering Directives 18
2.4 International Legislation 19
2.4.1 Financial Action Task Force 19
2.4.2 FATF Recommendations 20

Chapter 3: Current State of Virtual Asset Service Providers 21

3.1 Types of VASPs Regulated in Spain 21
3.1.1 Cryptocurrency for Fiat Currency Exchange Service Providers 21
3.1.2 Electronic Wallet Custodians 21
3.2 Compliance by Obligated Entities in Spain 22
3.2.1 Article 3: Formal Identification 22
3.2.2 Article 4: Identification of the Beneficial Owner 22
3.2.3 Article 4 bis: Beneficial Ownership Information of Legal Persons 23
3.2.4 Article 4 ter: Beneficial Ownership Information of Trusts 23
3.2.5 Article 5: Purpose and Nature of the Business Relationship 23
3.2.6 Article 6: Ongoing Monitoring of the Business Relationship 23
3.3 Customer Due Diligence Practices 24
3.3.1 Primary Research 24
 2

3.3.1.1 Bitso’s Head of Crypto 24

3.3.2 Secondary Research 26
3.3.2.1 Chainalysis Report: Crypto Myth Busting 26
3.3.2.2 Case Study: Japan & Crypto 27
3.3.2.3 Identity Verification 28
3.3.2.4 Know Your Customer (KYC) Questionnaires 31
3.3.2.5 Tax Residency Accreditation 32
3.3.2.6 Transaction Monitoring 33

Chapter 4: Crypto Due Diligence Guide for Businesses 35

4.1 The Evolving Landscape of Cryptocurrency in Business and its Implications 35
4.2 Companies Accepting Crypto Payments 38
4.2.1 Based on the Article 2 of Spanish Law 10/2010 39
Entities Likely to be Covered by Article 2: 39
Entities with Indirect Involvement: 40
4.3 Securing Crypto Payments 40
4.3.1 ­Ensuring Compliance in Cryptocurrency Transactions 41
4.3.1.1 Customers' Compliance 41
4.3.2.2 Customer Story - Case Study: Newegg 44
4.4 Accepting Cryptocurrency: Risk Assessment 46
4.4.1 Navigating the Complexities of Cryptocurrency Compliance: Lessons from the Binance
Money Laundering Case 47
4.5 Identity Verification 49
4.5.1 Cryptocurrency 49
4.5.2 Blockchain Ecosystem 50

Chapter 5: Due Diligence Best Practices 51

5.1 Money Doesn’t Grow on Trees 51
5.1.1 KYC Measures 51
5.1.2 Other Measures 52
5.2 To Outsource or not to Outsource 53
5.2.1 Inhouse Protocols 53
5.2.2 Third Parties 54
5.2.2.1 Suggested Third Parties 54
5.3 Size Matters 54
5.3.1 Small Obliged Subjects 55
5.3.2 Large Obliged Subjects 56

Chapter 6: Conclusion 57
 3

Chapter 1: Introduction

In the aftermath of the 2008 financial crisis, faith in the financial institutions that mediate our
economy was at an all time low. In response to the consolidated authority abused by the
actors of our financial system, a movement began to decentralise the concept of finance.
By October 2008 a whitepaper would be published that would serve as the foundational
text for a new generation of currency. Bitcoin: A Peer-to-Peer Electronic Cash System was
posted in an obscure mailing list for cryptography fans. Through exploiting recent
advancements in the field of computation, the paper's author Satoshi Nakomoto, outlined a
new open source software capable of generating an immutable, fully decentralised, virtual
currency.

The concept of a virtual currency wasn’t new. With several early iterations arising in the
1990’s by a movement of self proclaimed crypto anarchists. Bitcoin catalysed a movement
of programmers creating their own answer to virtual currency. Each new iteration adapting
Nakamoto’s formula, while maintaining the underlying nature of a peer to peer exchange.
Free from the innate risk of financial sector incompetence, and outside the watchful gaze of
public sector authorities. As echoed by Milton Friedman in 1999 'the Internet is going to
be one of the major forces for reducing the role of government’.1 Naturally it did not
take long before this nascent technology attracted the interest of criminal groups. Both as a
means to transact and store value.

One of the principal financial concerns of a criminal is in severing their proceeds from their
crimes. This is the process of Money Laundering. Converting illicit funds, making them
appear as if they derive from legitimate means. Historically this was facilitated by the
asymmetry of information between law enforcement and the criminal element. In order to
disguise funds, criminals create a paper trail of transactions through various channels and
intermediaries. Obscuring law enforcement's ability to trace the funds back to their source.

Traditionally Anti Money Laundering regulation mitigated this by transferring the burden of
investigation and reporting to the private sector. Forcing the financial intermediaries that
hold, transfer, and invest capital to do the leg work in policing customer activity. The rise of

1
Labourne, Marion, and Jim Reid. “The Future of Payments - Part III Digital Currency.” DB Research, January
20, 2020
 4

decentralised finance and the growing movement to peer to peer transactions has cast the
shadow of doubt over this traditional approach.

The innate risk of operating outside of the controlled boundaries of the financial system has
had a stifling effect on the industry, dissuading market participants from engaging with
virtual currencies in a serious manner. For a long time in the public eye, virtual currencies
were primarily understood as a means to purchase illegal goods and services on the
internet. A lack of interest and understanding of the technology from the authorities resulted
in a highly unregulated industry. Resulting for its dissemination across dark web
marketplaces like the Silk Road.

A study published in the oxford university press found that by 2017 26% of transactions
with virtual assets were associated with criminal activity. Representing 76 billion in dollar
terms, equal to 60% of the total market for illegal drugs in the US.2 However in recent years
the proportion of illegal activity has declined, regular market participants having turned their
attention to the technology as a means to speculate. As virtual assets began to yield
astronomical returns on the open market.

According to a recent survey by PwC, a staggering 83% of institutional investors believe

that cryptocurrencies will become an important part of the mainstream financial system
within the next five years.3 With major industry players like Swift collaborating with leading
financial institutions including BNP Paribas, Citi Bank, and BNY Mellon to develop
infrastructure for transferring tokenized assets on the blockchain. This new resurgence in
an already generally unregulated market led to a wave of crypto currency scams, collapses,
sanctions evasion, and institutionalised money laundering that has plagued the industry.

The fallout generated by this crypto-renaissance has begun to attract the scrutiny of
governments, law enforcement, and regulators who have begun the scramble to integrate
the technology within the regulatory fold. Companies seeking to provide services in relation
to the deposit, exchange, and management of virtual assets have been subject to a rapidly

2
Karlsen, Jonathan R., and Talis J. Putnins. “Sex, drugs, and bitcoin: How much illegal activity is financed
through cryptocurrencies?” SSRN Electronic Journal, Jan. 2019
3
PricewaterhouseCoopers. “More than a Third of Traditional Hedge Funds Now Invest in Digital Assets, Nearly
Double a Year Ago: PWC Global Crypto Hedge Fund Report 2022.” PwC, 2022
 5

changing regulatory environment. This report seeks to analyse the emergence of anti money
laundering regulation within the crypto space, and provide a detailed guide for Virtual Asset
Service Providers (Herein ‘VASPs’) to understand the hurdles and pitfalls that must be
overcome to operate the services in Europe.

We will take you through the sources of national law, particularly Spanish law, as the
strongest example of a comprehensive anti money laundering regime. Outlining the major
players and regulatory hoops that must be established to operate in full compliance as a
VASP. We will then explore the current state of the market and the actions taken by VASPs
to monitor and prevent money laundering activity within their networks. With primary source
accounts from executives detailing their perspective on the challenges of regulating the
space. Next we will provide a case study analysis of due diligence methodology, and the
different ways market participants can tackle their responsibilities. Investing in
comprehensive in-house AML systems, or by outsourcing them to qualified firms. We end
with a retrospective on our findings regarding the best due diligence practices for firms
operating in the space. Outlining the most important measures and considerations to
operate and finance a business with virtual currency.
 6

Chapter 2: Virtual Asset Legislation in Spain

2.1 Background

2.1.1 Anti Money Laundering in Spain

Spain’s strategic location, nestled on the edge of Europe, has historically made it a logistical
stronghold for organised crime. For the drugs, humans, and weapons being smuggled out
of Africa and Latin America, Spain is often the first stop on their journey to the rest of
Europe. This geographical reality has made Spain a global 'hotspot' for money laundering
activity. Exploited by criminal groups as a strategic base to store and distribute the
proceeds of their crimes.

Spain is also home to an incredibly dynamic financial sector, replete with banking, credit,
and investment services companies. Making it an incredibly convenient location to store
one’s illicit funds. Filtering them through financial institutions before disguising them into the
Spanish economy. As such financial firms operating in Spain run the daily risk of facilitating
Money Laundering and Terrorist Financing activity. To manage this ongoing threat, Spain
prescribes one of the most comprehensive anti money laundering regimes in Europe. At the
forefront of implementing European and International AML standards. The only nation in the
world to have 10 out of 11 global money laundering prevention indicators ranked
"Substantial" or "High”.4

The rise of virtual assets, such as crypto currencies and NFTs, financial products that
operate outside of the hands of main actors of the financial system, represents a unique
challenge to the Spanish AML regime. In 2019 Europol collaborated with the Spanish
governments dismantling a criminal organisation offering money laundering services. Using
their crypto currency exchange business, the criminals wired funds through controlled ATMs
into the major exchange platforms.5 Thwarting the suspicious transaction alerts by
depositing funds in small denominations. In response, the Spanish legislature has been

4
FATF (2014), Anti-money laundering and counter-terrorist financing measures - Spain, Fourth Round Mutual
Evaluation Report, FATF
5
“Europol Supports Spanish Authorities in Taking down Europe’s Biggest Narco Bank.” Europol, October 14,
2022
 7

paying attention to the special digital space, increasing the scrutiny placed on companies
seeking to offer services related to virtual assets.

In Spanish Law, a money launderer is defined in Article 301 of the Criminal Code, as he who
'acquires, possesses, uses, converts, or conveys assets, knowing they originate from a
criminal activity, committed by himself or by any third party'. This definition applies to both
natural persons, and legal persons who facilitate the concealment of funds. It's worth noting
that the law does not require intent. A natural or legal person may be charged with money
laundering for negligence. In other words, it is fundamental that all businesses seeking to
operate in this space must follow the spirit and the letter of the law to ensure to avoid the
devastating civil/criminal fines and penalties that may arise from non compliance.

2.1.2 Main Powers and Regulatory Bodies

Spain as a Member State of the European Union, and party to the FATF, is subject to
multiple layers of regulation. VASPs seeking to operate in Spain must therefore familiarise
themselves with the three overlapping regulatory regimes. The Spanish legislature
prescribes its own anti money laundering laws that apply mandatorily to local businesses,
these laws are based on the recommendations made by the FATF, and must ultimately
coincide with the directives and regulations issued by the European Commission in
Brussels.

Therein, whilst Spanish law prescribes the bare minimum of compliance required to operate
in the region. It is important to incorporate an analysis of EU law, to understand the
direction legislation is heading, and the FATF to understand the best industry practices for
the prevention of money laundering and terrorist financing. This chapter will take you
through each tranche of regulation, the national, supranational, and international influences
on Spanish AML legislation. Providing a comprehensive overview of what the law requires
from local Virtual Asset Service Providers.
 8

2.1.3 Challenges Tackling AML/CTF in Spain

In their 2014 Mutual Evaluation of Spain, the FATF, the world's global Financial Crime
Watchdog noted that, despite the strength of the local anti money laundering laws. The
persistent threats of terrorism, money laundering, and organised crime represented a
significant threat to the region. Principally, while there are strong anti money laundering
measures in place, Spain's targeted financial sanctions system suffers serious technical and
practical deficiencies, there are gaps in transaction monitoring, accusations of lack of
implementation in certain industries, and a general lack of transparency regarding beneficial
ownership.

Until recently, there was little much of any regulatory framework for virtual assets in Spain.
As such, companies operating in the sector enjoyed a significant degree of freedom.
Locally, virtual assets did not represent Legal tender, they did not hold the legal status of
money, financial instrument or value. Therefore they fell out of the purview of the Spanish
financial regulators, being bound only to a bare minimum of AML and tax reporting
obligations. Recent changes made at the EU level have brought some virtual assets into
this regulatory regime. However, even today large swaths of the industry, particularly those
outside the traditional financial system, remain unregulated.

2.2 National Legislation

2.2.1 How is CryptoCurrency Classified in Spain

2.2.1.1 Law 6/2023, of March 17, of the Securities Markets and Investment Services

In March of 2023 the Spanish Legislature passed Law 6/2023, of March 17, of the Securities
Markets and Investment Services in an effort to modernise the Spanish securities market.
The law sought to transpose several EU provisions as an overhaul of Spanish law.

One of the central pillars of the new legislation was the incorporation of Virtual Assets and
Distributed Ledger Technology into securities regulation. Per the amended regime,
marketable securities recorded on distributed ledger technology are considered financial
 9

instruments, and thus fall under the purview of the Spanish Financial Regulators, both the
CNMV and the Bank of Spain. Giving them broad powers to regulate, investigate, and
sanction entities issuing, buying, or selling cryptographic securities and financial
instruments.

2.2.1.2 National Stock Market Commission (CNMV)

The CNMV (National Securities Market Commission) is the Spanish government agency
responsible for the supervision of the securities markets in Spain. Spain adopted the
Securities Markets and Investment Services Law in March 2023, designating the CNMV and
the Bank of Spain as the appropriate authorities for enforcing the upcoming crypto
regulations at the EU level.

Whilst officially their mandate is to supervise the operations of the securities market, rather
than overseeing anti-money laundering and counter-terrorism financing of financial
institutions. The CNMV collaborates with SEPBLAC, the Spanish financial crime supervisor,
by incorporating these subjects into inspections as needed and providing updates on the
findings. AML/CFT reports can also be requested by CNMV from newly established
companies joining the market or from new investors purchasing a sizable stake in an
existing company.

2.2.1.3 Bank of Spain

The Bank of Spain (Banco de España) is the Spanish central banking authority. As a
Member of the European System of Central Banks and the Eurosystem, it exercises broad
authority over the Spanish economy. Entrusted as the competent authority in defining
monetary policy, safeguarding the financial system, and circulating legal tender. As part of
its mandate the Bank of Spain oversees regulated financial entities.

Following an amendment to Spain’s AML regime in 2021, entities seeking to engage in the
'exchange(s) between virtual and fiat currency, and the custody of virtual wallets’ must
register with the Bank of Spain to operate in the country. Since the Registry's launch in
January 2022, 80 businesses that presently conduct business in Spain have registered. The
 10

BoS, which will oversee the required registration, assesses the suitability of applicants
through comprehensive inquiries. Determining fitness based on a variety of factors,
including a detailed review of the firm's proposed AML/CTF procedures as well as a
certificate of no criminal record.

2.2.2 Anti Money Laundering and Terrorist Financing Provisions for VASPs

2.2.2.1 Law 10/2010 of 28 April, On the Prevention of Money Laundering and Terrorist
Financing

On May 6th of 2010, the Regulation enacting Spain's new anti-money laundering law came
into effect. Law 10/2010 of 28 April, On the Prevention of Money Laundering and Terrorist
Financing updated the Spanish AML regime, with new regulations that take into account
technological advancements in the world of finance. Particularly, the rise of e-money,
Fin-Tech, and crypto-currency.

In a general sense, the law outlines the responsibilities of ‘obliged subjects’. That being
entities that operate in sectors with a substantial risk of money laundering, such as financial
institutions, payment managers, and professional service firms. In a broad sense, the law
covers any entity involved in the transfer, custodianship, investment, exchange, or
management of capital assets.

At the time the law was one of the toughest AML regimes in Europe. Establishing strict due
diligence obligations, requiring the ongoing monitoring of clients, application of internal
controls, and comprehensive reporting measures to the relevant authorities. Yet, in the
rapidly changing world of finance this was deemed insufficient. In an effort to bring the
Spanish legislative framework in line with recent changes made at the EU level, the Spanish
parliament published Royal Decree-Law 7/2021. Which aimed to enhance both the
transparency and availability of information regarding beneficial ownership, as well as
measures for the prevention of terrorism.

The most important amendment was the inclusion of an updated list of obliged subjects,
namely, VASPs. Under the language of the new law ‘Providers engaged in exchange
 11

services between virtual currencies and fiat currencies, as well as custodian wallet providers
or safeguarding of keys’ are subject to the same AML obligations of any other financial
institution. Article 16 extends this requirement, including an open ended provision requiring
obligated subjects to monitor the AML/CTF threats that arise from developing technologies
that favour anonymity, with corresponding risk assessments and prevention plans.

The law sets out a broad geographic scope, requiring that Spanish obligated entities adopt
similar measures, at least in line with community law, in any branches or majority owned
subsidiaries located in any third country.

2.2.2.2 User Verification (Normal Due Diligence)

One of the most important features of this regime is Formal Identification, also known as
KYC (know your customer) or KYB (know your business). These rules encompass the
normal due diligence measures a obliged entity should engage in when onboarding a client.
Under this regime, VASPs are required to maintain up to date documentation on all natural
and legal persons with whom they intend to establish a business relationship. This
requirement also extends itself to those business relationships conducted on an infrequent
or occasional basis. So long as the transactions conducted between these entities exceeds
1000 EUR, or from payouts of games of chance, 2,500 EUR.

Under Articles 3 and 4 of Law 10/2010, all obliged subjects are required to formally identify
their clients and proactively scrutinise their activities to ensure they are consistent with their
knowledge of the customer. This involves keeping an up to date registry of pertinent
information including the identities of individuals, their agents, and beneficial owners.
Requiring obliged subjects to make ongoing determinations about their relationship, risk
profile, and source of funds.

The law also prescribes what information is required from each variety of counterparty. For
individuals who are Spanish nationals, obliged subjects must keep a record of their client’s
Spanish national identity card (NIE). For foreign individuals, a residence card, passport, or
foreign identity cards may be sufficient. In the case of financial institutions, obliged subjects
 12

may only accept local or EU documents, ensuring that the individual has the legal right to
hold an account under national law.

Legal persons, on the other hand, require a more comprehensive identification process. For
Spanish companies, a certification from the local Provincial Commercial Registry would be
a sufficient indication of the counterparties' existence. However, any obliged entity seeking
to maintain business relationships with other or foreign legal persons will have to record the
company name, legal form, registered address, identity of their directors, articles of
association, beneficial ownership, and their tax identification number. It is worthwhile noting
that these conditions are in no way exhaustive. Several obliged entities may also be subject
to additional rules regarding user verification.

The main aim of the collection process is to understand the nature of their client's business
or profession. Which allows the obliged subject to monitor the user's activities and ensure
their activity is consistent with their supposed operational background. In cases where the
business relationship is deemed to be 'high risk', or in cases where their stated activity is
inconsistent with their background, the law prescribes the burden of additional verification.

2.2.2.3 Beneficial Ownership

One of the most important features of verifying legal persons, is the identification of their
beneficial owner. Article 8 of Law 10/2010 determines this to be the natural person on
whose behalf a business relationship is established, or the natural person who ultimately
controls more than 25% of the share capital or voting rights of a legal person.

In the case of public companies, legal instruments, or other situations where no single
individual who controls more than 25% of the share capital or voting rights, company
administrators, directors, trustees, or managers can be considered beneficial owners. This
is true even when determined through a chain of control or ownership. Ensuring that
obligated subjects keep a record of who will ultimately receive the funds in question, as well
as having the bipartite effect of expunging structures built for the express purpose of
obscuring ownership.
 13

2.2.2.4 Transaction Monitoring and the Business Relationship

Law 10/2010 sets out the importance of transaction monitoring. Requiring obliged entities
to have systems in place to scrutinise transactions made on their network. This can be done
internally, or by way of a third party.

Obliged entities are required to report any transactions, regardless of their size, which they
suspect relates to money laundering and terrorist financing. Reporting their findings to
SEPBLAC, Spain's dedicated Financial Intelligence Unit. Obliged entities have a general
duty not to execute such transactions, however the law allows abstentions, where the
failure to execute a transaction may hinder an investigation. It is important to note that the
law prevents obliged entities from disclosing to third parties that information has been
transmitted to the relevant authorities.

Certain transactions require prior declaration. According to Article 34 natural persons, who
on their own account or on behalf of a third party, execute a cross border movement above
10,000 euros, or 100,00 if done domestically, require special certification.

In order to ensure that transactions conducted through obliged subjects are in line with the
customer's operational background, Article 11 prescribes that all transactions be reviewed
accordingly, and with this purpose in mind. The degree to which these activities must be
monitored tends to vary.

When it is determined that the customer represent an above average risk, or has a
heightened risk profile, obliged subjects are required to record a comprehensive analysis of
the user's activity, covering all customer’s products with the obliged subject and, where
appropriate, with other group companies. One of the nuances of Spanish AML law is its
requirement that obliged entities keep all documentation related to their compliance
obligations for a period of ten years. Twice the time span prescribed in other European
jurisdictions.

The law makes it clear that obliged subjects have a duty to ensure the information on record
is accurate and reliable. If during the course of the investigation there is any indication that
 14

the customer is involved in money laundering or terrorist financing, this information must be
disclosed to the proper authorities.

2.2.2.5 Due Diligence

To understand the money laundering and terrorist financing risks financial institutions face,
firms must verify their customers’ identities and the account relationship’s intended
purpose. This process is known as Customer Due Diligence, and is a responsibility that
covers the entire lifecycle of the account. Before an obligated subject seeks to onboard a
user, they must first gather the necessary documents, perform the relevant verifications,
and to determine the risk of establishing a business relationship.

Once a user is onboarded, their activities must be monitored consistently, in accordance

with their risk profile and their activities. It goes without saying that transactions that exceed
regulatory thresholds, involve entities in high risk jurisdictions, or invoke a sufficient degree
of suspicion must be investigated thoroughly and in accordance with the law. The law
distinguishes between these cases as Simplified and Enhanced Due Diligence.

2.2.2.6 Simplified Due Diligence

Simplified due diligence is the alternative to the regular due diligence responsibilities that
arise from the duty to verify business relationships. In cases where it is determined that
money laundering risks are negligible, or in cases outlined by the law, obliged subjects may
opt for a reduced verification process. This may cover anything from reducing document
and transaction monitoring, to not collecting information on the customers business activity
or beneficial ownership.

Per Article 15, counterparties such as government bodies, financial institutions, and publicly
held companies are assumed to be relatively low risk. The law prescribes that so long as
these entities are based in the European Union, or a third country with an equivalent AML
regime, obligated subjects may limit themselves to simplified due diligence. Similarly, the
law prescribes certain transactions whereby simplified due diligence may be applied. Article
16 establishes that certain life insurance policies, social welfare contributions, and
 15

payments below a certain threshold of account activity may be exempted from regular due
diligence obligations.

2.2.2.7 Enhanced Due Diligence

Naturally, enhanced due diligence is the opposite of simplified due diligence. It simply refers
to the set of additional investigative measures that are required when obliged entities
onboard or investigate a 'high risk' user. This entails gathering a great deal of data
regarding the background, risk tolerance, and reputation of a prospective client. In an effort
to reduce the risk that new business agreements may bring. This process is reserved for
those users determined to be particularly high-risk, high-net-worth, or with a large degree of
transaction volumes.

This dichotomy exists in order to spare obliged subjects from the onerous process of
collecting and investigating information on all their users. Rather it ensures that the most
extreme due diligence measures, required for the prevention of money laundering and
terrorist financing, are applied strictly when necessary. While there is a degree of
subjectivity when determining when a user or transaction is 'High Risk', the law sets out a
number of conditions that mandate enhanced due diligence.

Article 11 of Law 10/2010 establishes that, in addition to 'normal' due diligence measures,
transactions or users hailing from countries with weak anti money laundering and terrorist
financing laws must be treated with enhanced due diligence measures. These jurisdictions
are defined by the European Commission in accordance with Article 9 of Directive (UE)
2015/849 of the European Parliament and of the Council of 20 May 2015. Defining them as
‘Third-country jurisdictions which have strategic deficiencies in their national AML/CFT
regimes that pose significant threats to the financial system of the Union’. The EU
Commission publishes in a comprehensive list covering 29 different African, Middle Eastern,
Caribbean, and Asian Jurisdictions.

The law also prescribes additional due diligence measures for business relationships and
transactions conducted without physical presence. According to Article 12 of Law 10/2010
establishes that in order to conduct business through electronic means, three conditions
 16

must be met. The obliged entity must have the user's identity accredited in accordance with
Law 6/2020 and the EU's eIDAS Regulation, ensuring the veracity of the KYC information
gathered. The obliged entity must also ensure that, in the case of a transaction, the first
deposit originates from an account, opened in Spain, in the client's name.

For virtual currencies, this would refer to the custodian of the funds, for example the
exchange on which the tokens were purchased or the wallet service where the funds were
deposited. If there are any discrepancies between the data provided by the customer, and
the information gathered by the obliged entity, the customer is precluded from virtual
verification. Interestingly the law also requires that the obliged entities establish policies and
procedures addressing the specific risks of conducting business electronically. However it
does not set out what these risks are.

Counterparties for correspondent banking services are also deemed 'high risk' for the
purpose of enhanced due diligence. Correspondent banking refers to the financial services
banks offer to other, third party banks. These cover cash management, international fund
transfers, cheque clearing, and foreign exchange. Naturally given these transactions are
made on behalf of third parties, without the necessary KYC information from either
counterparty, financial institutions are required to conduct enhanced due diligence before
contracting their services. From a crypto perspective, it is important to note that the law
covers the transfer of money as well as the transfer of securities.

In order to onboard these third party relationships, the law prescribes a number of
measures that must be applied covering the collection of KYB information, assessment of
the institutions anti money laundering and terrorist financing controls, outlining the
responsibilities of each institution, and conducting ongoing transaction monitoring in
accordance with the principles of enhanced due diligence. It is important to note that these
relationships can only be undertaken with the approval of senior management, defined as
'persons who have sufficient knowledge of the obliged entity’s level of exposure to the risk
of money laundering and terrorist financing and who have sufficient rank to take decisions
affecting that exposure'
 17

2.2.2.8 Politically Exposed Persons

Politically exposed persons are those who are or have been entrusted with prominent public
functions, such as heads of State, heads of government, ministers or other members of
Government. Because of their position and possible influence, PEPs are typically more likely
to be involved in bribery and corruption, and as such the law regulates them specifically.
Particularly in international settings, the terms "politically exposed person" and "senior
foreign political figure" are sometimes used interchangeably.

Per Article 14 of Law 10/2010, obliged entities are required to apply enhanced due diligence
measures on all business relationships or transactions with politically exposed persons as
the counterparty. The definition of what a politically exposed person is covers a wide range
of positions, ranging from local government, to supreme court justices, and leaders of
important trade unions. A comprehensive list of Spanish officials considered Politically
Exposed Persons is published by SEPBLAC.

In order to onboard a politically exposed person, obliged subjects must take adequate
measures to establish the source of wealth and the source of funds, and are required to
monitor the user's activity on an ongoing basis in accordance with enhanced due diligence
measures. The law requires that the customer be approved by management. In fact the
obliged subject’s internal procedures must specify the minimum management level of
approval necessary for establishing or continuing business relationships.

2.2.3 Regulators and Oversight

2.2.3.1 The Executive Service of the Commission for the Prevention of Money
Laundering and Financial Crimes​(SEPBLAC)

SEPBLAC, the Executive Service of the Commission for the Prevention of Money
Laundering and Financial Crime, is the Spanish supervisory authority for the prevention of
money laundering and terrorist financing. As a Financial Intelligence Unit, SEPBLACs,
mandate is to fight the war against money laundering through research, policy, and
investigation. Finding itself integrated fighting crime as a law enforcement agency, and
 18

controlling the industry as a supervisor. Regularly inspecting obliged subjects for their
compliance.

As noted previously, obliged subjects are required to cooperate with SEPBLAC, who
receives regular reports of suspicious activity and investigates them accordingly. Obligated
subjects are required to have a framework of internal controls in place, which allows them to
communicate and respond to enquiries made by SEPBLAC on a continuous and punctual
basis. These internal controls are subject to mandatory reviews by SEPBLAC, the CNMV, as
well third party review by experts on an annual basis. Under article 43, credit institutions
must report the opening, or cancellation, of all forms of accounts, identifying the holders,
representatives, and authorised persons. This report is known as the financial ownership
file, allowing the authorities to trace the assets attributed to each individual.

Part of the reporting obligations set out in Chapter IV of Law 10/2010 mandates that obliged
entities appoint a director or senior manager to serve as a point of contact for the executive
service. Known colloquially as a Money Laundering Reporting Officer, Article 26 requires
that this person communicate Obliged entities that operate physically in Spain must
appoint a Spanish resident, obliged entities operating under the freedom to provide services
may appoint a representative based outside of Spain. The article establishes the additional
requirement of creating an internal compliance unit tasked with designing and implementing
the policies and procedures in connection to the executive service.

2.3 Supranational Legislation

2.3.1 Markets in Crypto-Assets Regulation

In June of 2023 the European Union passed a new legislation seeking to overhaul the
regulation of Virtual Assets at the community level. The Markets in Crypto-assets
regulation, also known as the MiCA Proposal, will amend the previous Directive (EU)
2019/1937, establishing uniform European rules for all issuers of Virtual Assets as well as
for virtual asset service providers. The all VAs not currently covered under existing financial
services legislation, establishes uniform European rules for issuers of such VAs as well as
for crypto-asset service providers. Spain implemented the regulation into national
 19

legislation six months ahead of MiCA's entry into force, designating the CNMV to
implement the rules and regulate the industry.

The Regulation has a fairly narrow scope, defining the virtual assets covered as “digital
representations of value or of a right that are able to be transferred and stored electronically,
using distributed ledger technology or similar technology”, focusing exclusively on the
issuers of utility tokens, asset referenced tokens, stablecoins, as well as the industry’s
service providers such as fiat to crypto exchanges and the wallets where virtual assets are
held. However, it does not cover the issuance of decentrally generated virtual assets, non
fungible tokens, and decentralised financial platforms, such as peer to peer exchange and
decentralised lending, leaving a lot to be desired from an Anti Money Laundering
perspective.

MiCA introduces new rules which aim to achieve four main goals. Protecting consumers,
investors with comprehensive disclosure requirements and rules in relation to marketing and
sale of virtual assets; Ensuring legal certainty by establishing a sound legal framework for
virtual assets that are not covered by current financial services legislation; fostering
innovation and fair competition to encourage the development of crypto-assets by
instituting a safe and proportionate framework; and ensuring financial stability, with the
inclusion of safeguards to address potential risks to financial stability.

The Regulation does this by imposing disclosure and registration requirements on issuers of
virtual assets falling under its scope. Under the new rules Issuers must produce and publish
a ‘white paper’ in order to sell virtual assets. The regulation also requires that states elect a
supervisory authority to oversee the industry. Stablecoin electronic money issuers are
required to seek authorization from the competent regulator of their home member state,
who will make a determination of the project's viability taking into account the issuer's
business model, capital, security, and assessment of the included whitepaper. The
approvals granted will be valid throughout the EU.
 20

2.3.3 Anti Money Laundering Directives

The European Union has a rich history of implementing money laundering directives in an
effort to shape legislation at the member state level. Beginning in 1990 with the first AML
Directive, the EU has since passed a total of six directives, each expanding the
responsibilities of those covered, and increasing the scope of parties subject to money
laundering legislation.

In 2018 these rules were extended to virtual assets, bringing regulation to exchanges, wallet
custodians, and other gatekeepers. Interestingly, these directives extend EU AML
requirements exclusively to “providers engaged in exchange services between virtual
currencies and fiat currency”. Covering most crypto-to-fiat (or fiat-to-crypto) exchanges
whilst largely ignoring the money laundering risks posed by, crypto-to-crypto exchanges..

The most recent of these directives was MLD6, entered into force in 2020, which included
the proposal for the creation of a new EU authority to fight financial crime, and the
implementation of FATF’s Recommendation 16, otherwise known as the “travel rule”, for
transfers of Virtual Assets. The travel rule is a transaction reporting mechanism which
ensures that any transaction made above a certain threshold, must be accompanied by the
personal information of the originator. In essence, creating a traceable paper trail between
the originators and beneficiaries that operate on an obliged entities payment network.

2.4 International Legislation

2.4.1 Financial Action Task Force

The Financial Action Task Force (FATF) is an intergovernmental organisation that sets the
global standards in the fight against financial crime. The FATF was formed in 1989 at the
behest of the G7 summit in Paris, in an effort to combat the growing international problem
of Money Laundering and Terrorist Financing. The organisation represents the combined
international efforts of 38 signatory states who in conjunction with the other ‘FATF Style
Regional Bodies’ compose an international network of 205 countries that vote to promote
 21

effective regulation against financial crime through policy, investigations, and multilateral
cooperation.

2.4.2 FATF Recommendations

One of the important texts produced by the FATF are its Recommendations, a
comprehensive list of legal standards that its members use as a model for designing
legislation. The nine Special Recommendations on Terrorism Financing and the Forty
Recommendations on Money Laundering together set the standard for AML/TF procedure
which are all currently integrated under one text.6 They lay forth the guidelines for action
and provide nations some leeway in applying them in accordance with their unique
situations and constitutional frameworks.

2.4.3 Decision on VASPS

In recent years the FATF has directed more focus into the regulation of the virtual asset
industry, and has issued global binding standards to prevent their misuse. In their 2014
report the FATF recognized that the crypto space represented a huge opportunity for
payment systems, as well as a powerful new tool for criminals, terrorists, and sanctioned
entities. Setting out a conceptual framework for understanding the AML/CTF risks posed by
virtual assets.

Recommendation 15 specifically deals with the emerging technologies and business

practices in the financial industry. Namely mandating that countries and financial institutions
identify and assess these practices before their implementations. This recommendation
specifically covers Virtual Assets and Virtual Asset Providers, ensuring that they apply a risk
based approach to ensure necessary measures are developed commensurate with the risks
identified. The recommendation goes on to prescribe that all VASPs be licensed, registered,
and scrutinised by a supervisory authority. And that all transactions between VASPs contain
accurate originator and beneficiary information, making the information available upon
request to the appropriate authorities.

6
“FATF 40 Recommendations - Financial Action Task Force.” Financial Action Task Force, October 1, 2012
 22

Chapter 3: Current State of Virtual Asset Service Providers

3.1 Types of VASPs Regulated in Spain

The provisions set out in Law 10/2010 of 28 April, on the Prevention of Money Laundering
and Terrorist Financing shall only apply to the entities specified in Article 2.1. In terms of
Virtual Asset Service Providers we find two in paragraph “z” of said article. It is also
important to note that Title II of Royal Decree-Law 7/2021, of April 27 gave these two types
of obliged subjects the status of financial entities by amending paragraph 4 of Article 2.

3.1.1 Cryptocurrency for Fiat Currency Exchange Service Providers

The first one is that of service providers that exchange virtual currency for fiat currency. This
englobes any “purchase and/or sale of virtual currencies through the delivery or receipt of
euros or any other foreign currency of legal tender or electronic money accepted as a
means of payment in the country in which it has been issued.”7 With this definition in mind
we will be looking at the following exchange platforms: Coinbase, Binance, Gemini, Kraken,
eToro, and Blockchain.com.

3.1.2 Electronic Wallet Custodians

The second regulated entity is that of electronic wallet custodians. These are defined as any
“natural persons or entities that provide safekeeping or custody services of private
cryptographic keys on behalf of their clients for the holding, storage and transfer of virtual
currencies.”8

Unfortunately, the current wording of this definition does not account for
hot—cryptocurrency wallets that are connected to the internet and are actively used in
transactions—and cold wallets—offline cryptographic key and currency storage solutions.

Nonetheless, following this definition, many exchange platforms fall under this category of
regulated entities as well. However, for the sake of better understanding we will separate

7
Article 1.6 of Law 10/2010, of April 28
8
Article 1.7 of Law 10/2010, of April 28
 23

the two types of crypto-centric obliged subjects. Unlike the vast number of exchange
platforms, sole hot wallet custodians are uncommon, so we will analyze two wallets that
operate in Spain: Venly and Bitgo.

3.2 Compliance by Obligated Entities in Spain

This section covers what regulated entities are obliged to do to prevent money laundering
and terrorist financing. Centering on due diligence measures laid in Section 1: Standard
Measures, overlooking Sections 2 & 3 on simplified and reinforced measures respectively;
as amended by Title II of Royal Decree-Law 7/2021, of April 27.

3.2.1 Article 3: Formal Identification

Regulated entities shall identify all natural or legal persons who intend to establish business
relations or intervene in any transactions.9 Entities may not maintain business relations with
unidentified subjects. Moreover, the verification of identity by reliable documents must be
done prior to establishing a business relationship.

3.2.2 Article 4: Identification of the Beneficial Owner

Obliged subjects shall identify the beneficial owner and take appropriate measures to verify
his identity prior to the establishment of business relations or the execution of any
transactions.10 The law goes on to define who can be understood to be the beneficial
owner, either the natural person who establishes the business relation, or that which holds
more than 25% of the natural person benefiting’s voting rights or shares or less but direct or
indirect control over it, and explains the case of anglo saxon trusts. It then obliges regulated
entities to collect information that verifies whether their clients are acting on their own
behalf or that of third parties.

9
Article 3.1 of Law 10/2010, of April 28
10
Article 4.1 of Law 10/2010, of April 28
 24

3.2.3 Article 4 bis: Beneficial Ownership Information of Legal Persons

All natural persons who have the status of beneficial owners in accordance with the
provisions of Article 4, shall be obliged to immediately provide, as soon as they become
aware of that fact, to the persons listed in Section 3, their status as beneficial owners,
including the following identification data: name and surname, date of birth, type and
number of identification document (in the case of Spanish nationals or residents in Spain,
the document issued in Spain shall always be included), country of issue of the
identification document, country of residence, nationality, criterion that qualifies that person
as a beneficial owner, and in the case of beneficial ownership by direct or indirect
ownership of shares or voting rights, percentage of participation, including, in the case of
indirect ownership, information on the interposed legal entities and their participation in
each one of them.11

3.2.4 Article 4 ter: Beneficial Ownership Information of Trusts

The beneficial ownership information required in this article is the same as for the previous
one with the exception of the last provision which is not necessary.

3.2.5 Article 5: Purpose and Nature of the Business Relationship

Obligated subjects must obtain information on the purpose and intended nature of the
business relationship. In particular, they must collect information from their clients in order
to know the nature of their professional or business activity and shall adopt measures
aimed at reasonably verifying the veracity of such information. Such as the establishment
and application of procedures for the verification of the activities declared by the clients.
The measures must take into account the levels of risk based on the provided information.12

3.2.6 Article 6: Ongoing Monitoring of the Business Relationship

Regulated entities must apply continuous monitoring measures to the business relationship,
including scrutiny of the transactions carried out to ensure that they match the obliged

11
Article 4 ter (3) of Law 10/2010, of April 28
12
Article 5 of Law 10/2010, of April 28
 25

entity's knowledge of the customer and his business and risk profile, including the source of
funds, and ensure that the documents, data and information available are up to date.13

3.3 Customer Due Diligence Practices

The following section deals with what regulated entities in the sphere of Article 2.1(z) of Law
10/2010, of April 28 are doing to comply with said legislation. In terms of what they are
asking users in order to create an account and be able to buy, sell, trade, and transfer
cryptocurrencies, whether or not they request tax residency accreditations, if they require
KYC questionnaires, and to what extent they monitor their users’ transactions.

3.3.1 Primary Research

In this section, we engage directly with a representative from an exchange platform and
wallet custodian, as outlined in the previous sections and chapters. Providing us with
unique perspectives on their daily compliance practices, challenges they face, and
strategies they employ to meet Anti-Money Laundering and Counter-Terrorist Financing
obligations. Furthermore, going beyond the current state, we aim to look at the point of view
of those affected by cryptocurrency regulations, their opinions on the path regulators are
on, and recommendations for the future. The qualitative data gathered from said interviews
greatly enriches the analysis of this chapter by offering firsthand accounts of experiences
within the evolving regulatory landscape.

3.3.1.1 Bitso’s Head of Crypto

Bitso is Latin America’s first crypto unicorn—privately held startups with valuations of over
$1 billion—and is the leading Financial Services company powered by crypto in the region,
established in 2014. They currently count with over 7 million users and provide “borderless,
secure, transparent, and accessible financial products.”14 Bitso offers its services to
individuals through the ability to invest, sell, and trade cryptos with perks such as
scheduled target prices, automatic orders, and automated buying. They also serve business
by allowing companies to make or receive payments in both fiat and crypto currencies,

13
Article 6 of Law 10/2010, of April 28
14
Bitso. “Bitso.” LinkedIn, n.d.
 26

schedule payments through a single global API, easy deposit and withdrawal mechanisms,
large transaction volumes, and custody services.15

In our interview with Bitso’s Head of Crypto, Andres Salcedo, a recurring theme developed
as our conversation progressed: the relationship between cryptocurrency regulation and its
impact in the industry. The sentiment conveyed was that increased regulation, when
approached in the same manner as traditional banking structures, may inadvertently drive
users towards illicit channels—in other words, the black market. Mr. Salcedo emphasized
the importance of fostering an open dialogue between regulators and regulated entities,
advocating for transparency and collaboration as cornerstones of the evolving crypto
sphere.

Our discussion continued into the potential dangers of analogical thinking in regulatory
frameworks. Andres underscored the need for recognizing cryptocurrencies and exchange
platforms for what they truly are—distinct from traditional financial institutions. Drawing
parallels between Bitcoin and traditional coins or equating exchange platforms to banks,
can become counterproductive and stifle their development.

A valuable example mentioned during the interview highlighted the unique requirements of
exchange platforms, such as the need for Proof of Reserve as opposed to fractional
reserves mandated for banks. This measure requires that the reserve ratio (the ratio
between a company’s funds and user funds) remains at 100%, to ensure that
cryptocurrency assets are safe. They are a public attestation of solvency via an independent
audit, which are generally conducted by a centralized third party, and are often
time-consuming, long, and manual to an extent. Whereas, fractional reserves whose reserve
ratio is commonly set at 10%.

He emphasized the intricacies of traceability associated with cryptocurrencies, noting the

inherent transparency in each coin’s transaction history, whose trajectory is traceable from
the moment it is mined. This transparency, along with the strong identification and
transaction reporting protocols that are in place, challenge the misconception that
cryptocurrencies move in the shadows. In essence, Mr. Salcedo stressed the imperative for

15
Bitso. “The Simplest Way to Use and Buy Cryptocurrencies.” Bitso, n.d.
 27

policy makers to collaborate with the industry, not against it. Understanding its nuances
rather than imposing traditional structures that hinder its evolution.

3.3.2 Secondary Research

Complimenting the primary research above, secondary research forms an integral part of
our analysis of the current due diligence practices conducted by VASPs. This segment
gleans the information required by the obligated subjects mentioned in sections 3.1.1 and
3.1.2 in light of Articles 3, 4, 4 bis, and 4 ter of Law 10/2010, of April 28. Conducted through
the examination of said subjects’ websites and related documents, we have yielded
quantitative data, policy insights, and details of the compliance measures implemented by
these entities. In doing so, we have identified trends and gaps in the compliance
environment of cryptocurrency-related obligations, as well as best practices to be
developed in Chapter 5. This multifaceted approach, which integrates both primary and
secondary research methods, ensures a comprehensive understanding of the current state
of regulated entities in Spain and a guide for those who want to enter the market.

3.3.2.1 Chainalysis Report: Crypto Myth Busting

Chaninalysis is a blockchain data platform and analysis firm that provides software,
services, and research to financial institutions, exchanges, cybersecurity companies, and
governments in more than 70 countries. Their data powers a compliance and investigation
software that has solved some of the world’s biggest criminal cases and allows consumers
to be safe. Provided by Andres Salcedo during our interview, the following section deals
with an analysis of Chainalysis’ Crypto Myth Busting Report from July 2023.16 We will focus
on three sections of the report: safety & security and legitimacy.

Safety & Security: Back in 2013 when the Silk Road—the first modern darknet
market—illicit activity accounted for 20% of Bitcoin’s daily transactions. Now, after years of
increased law enforcement pressure and regulation of crypto, that number has dialled down
to 0.24% in 2022. KYC and AML procedures have made it possible to prevent criminals
from using crypto. Improved blockchain analysis tools developed to comply with regulation

16
Team, Chainalysis. “The Chainalysis Crypto Myth Busting Report: 33 Cryptocurrency Myths
Refuted.” Chainalysis, July 11, 2023.
 28

as well as tracing mechanisms, have allowed governments to make important seizures.

Most notably, the U.S. seized $3.6 billion in cryptocurrencies in 2022 in connection to the
Bitfinex hack, and over that same amount in 2021 from a wallet tied to the Silk Road. The
inherent transparency related to blockchains allows financial institutions to assess the risk
of each transaction in real time, flagging anything deemed illicit. In fact, the illicit share of all
value received by mainstream exchange platforms amounted to 0.32% last quarter.

Legitimacy: Despite common belief, cryptocurrency was never meant to be nor is

untraceable. Transactions “have always been pseudonymous, in that they’re tied to a static,
publicly visible address, and not anonymous, as many believe.” Furthered by KYC
obligations which make fiat currency conversions identifiable. Nonetheless, some believe
crypto enables tax evasion. Nonetheless, there are no exemptions for virtual currency and
digital assets are being treated as income tax in many jurisdictions. In Spain, starting next
year, the first declarations on information regarding virtual currency to authorities must be
presented, following Law 11/2021, of July 9.

3.3.2.2 Case Study: Japan & Crypto

A recent Forbes article brought to our attention Japan’s increased leadership in

cryptocurrency regulation.17 It discussed how the country got there and what they can teach
the world. Following significant cryptocurrency exchange hacks, Japan has implemented
stringent security measures and unified regulatory strength. Although sometimes accused
of overregulating, the Asian giant is strategizing to become a leader in Web 3.0 technologies
with its stable regulatory framework as foundation. Unlike their U.S. allies who face
challenges in oversight gaps and an execution-based decision-making regulatory culture.
Japan’s proactive approach, employed after hard lessons, positions the country as leading
in the landscape. Especially through the role of their Financial Services Agency (FSA) in
shaping industry rules. Some of these include:
● Company and client assets must remain separate, and their holdings must be
verified by annual audits.

17
Bambysheva, Nina. “Todo Lo Que Japón Puede Enseñar al Mundo Sobre La Regulación de
Las Criptomonedas.” Forbes España, May 9, 2023.
 29

● Investors may not borrow more than twice their investments for transactions
leveraged by exchanges (Many exchange platforms, such as Binance, allow 100x
leverages).
● Exchanges must hold at least 95% of client funds in cold wallets.

Japan has emerged as a crypto haven, prioritizing customer-friendly policies and sparking
international policy debates on digital assets. The ruling Liberal Democratic Party’s Web 3.0
Project Team emphasizes the country’s potential as a leader in the industry, proposing tax
reform, improved accounting standards, and financial regulation based on blockchain. The
country’s Prime Minister Fumio Kishida greatly acknowledges the potential of Web 3.0 and
signals Japan’s intent in using blockchain technology to revitalize regional economies, what
he calls “Cool Japan”. Despite heavy regulation and a hostile tax code, they are enhancing
the country’s appeal by considering tax exemptions and streamline regulations. This shift in
position cements Japan as a major player in the global blockchain environment and sets an
example for other countries to follow.

3.3.2.3 Identity Verification

I. Coinbase: in order to sign up to the Coinbase website or application, users must

provide a valid form of identification “and may be asked for proof of address in order
to transact.”18 Despite a valid ID qualifying as government-issued identification
documents, identity verification “may take longer than a few minutes, depending on
where you live.”19 Moreover, they must provide a bank account, debit card, or initiate
a wire to connect a payment method.

II. Binance: identity verification is required for buying crypto with a credit or debit card
on their platform, no other payment methods are mentioned. As an incentive for
compliance, Binance allows users to get higher transaction limits with every step of
the verification process they complete. Beginning with name, address, and date of
birth. The next level requires a “copy of a valid photo ID and a selfie” which can be
taken through a smart phone or computer webcam.20 The final level requires proof of

18
Coinbase. “How to Buy & Purchase Cryptocurrency.” Coinbase, n.d.
19
Ibid
20
Binance. “Identity Verification for Buying Crypto with Credit/Debit Card on Binance.”
 30

address through the following documents: brokerage statements, utility bills (must
match mortgage), mortgage statements, and property tax statements.21

III. Gemini: the Gemini sign up page first prompts users with a questionnaire that asks
for: account type (whether an individual account for personal use or a business
account for companies, trusts, and institutions), given name, family name, email,
mobile number, location and language. Once set up and email is verified, users must
proceed with the identity verification. To verify “you’ll be required to upload a clear
and full photo ID (driver's license or passport).”22 With regards to payment methods,
Gemini allows “Wire and Bank Transfers, ACH Transfers, Apple Pay and Google Pay,
Debit Card Purchases, and Crypto Transfers.”23

IV. Kraken: the first step to trade on the Kraken website is to create an account with a
valid email address, which once verified “will allow funds to be deposited and trades
to be made.”24 Once verified you must sign in and begin the identity verification
process. This platform notes that identity verification field headers differ slightly
based on location. The example provided in their support website asks for the
following: name, last name, date of birth, address, and phone number. Once
completed, the next page will ask for Occupation by selecting a from a drop-down
menu, and depending on the user’s location, will ask for a Social Security Number
(SSN) or similar information varying by jurisdiction.

V. eToro: after verifying your email address, eToro requires users to verify their phone
number through SMS, a copy of a valid passport or both sides of a
government-issued identification card that contains: full name, date of birth,
photograph, and valid expiry date, proof of address through a document “issued in
the name of the eToro account holder and dated within the last 3 months (with the
exception of valid government-issued identification documents, such as a driver's
license), and must contain the following information: your name, your current
residence address, the date of issue, the issuing authority, a reference to the issuing

21
Binance. Identity documents policy
22
Gemini. How do I verify my identity in the app? – Gemini, n.d.
23
Gemini. “How to Buy Bitcoin (BTC): Buy Bitcoin in 6 Simple Steps.” Gemini, n.d.
24
Kraken. “Support.” Kraken, n.d.
 31

authority (logo, contact information, website, etc.),”25 and email verification if

skipped when creating an account.

VI. Blockchain.com: neither deposits nor trades are available upon account creation
and email verification. To begin trading, users must verify their identity by entering
their full name, last name, date of birth. The next page requires you to fill out your
address (country, street address, postal code, and city). The following step is to fill
out an enhanced due diligence (“EDD”) questionnaire. Lastly, users have to “take a
picture of your ID document and yourself and finalise the verification flow.”26 The last
step is automated through their partnership with an identification platform called
Veriff which is powered by AI and used by companies such as wise and bolt.

VII. Venly: as the first non-exchange platform on the list, this platform separates its
service in Venly Market, where users can buy, sell, transfer NFTs, and withdraw
USDCs, and Venly Wallet, which holds their tokens and can be transferred. In the
former, users will only need to verify identity to “withdraw more than 1000 USDC in a
single 30 day period” and in the latter for the “transfer native and ERC20 tokens.”27
The verification process is also done by Veriff and requires a picture of a valid ID
(passport or driver’s license) and a selfie.

VIII. Bitgo: after email address verification Bitgo collects names, phone number, and
region. When finished users will be asked for “identity verification for BitGo business
wallets, qualified custody, BitGo Prime and hot wallet users: [requiring] country of
citizenship, SSN, tax ID number, copies of government-issued identification, video
call footage to verify your identity, proof of residency documentation (e.g., copies of
utility bills), and other information you choose to provide to us as part of identity
verification.”28

25
eToro. NanoRep widget, n.d.
26
Blockchain. How do I verify my identity? – blockchain support center, n.d.
27
Venly. “Know Your Customer: Ensuring Compliance and Security: VenlyVenl.” RSS, n.d.
28
Bitgo. Privacy, n.d.
 32

After analyzing our findings above we concluded that:

➢ All 8 platforms require email address verification.
➢ 7 out of 8 require a valid form of identification document (government issued) and
merely 3 of those ask the user to take a picture of themselves (selfie).
➢ Only 6 out of 8 require users’ address information and only 4 of those ask for proof
of address.
➢ Only 2 ask for tax related information.
➢ The most secure exchange platform is, in terms of customer due diligence
requirements, Blockchain.com.
➢ The least secure exchange platform is, in terms of customer due diligence
requirements, Gemini.

3.3.2.4 Know Your Customer (KYC) Questionnaires

Know Your Customer Questionnaires are a set of standarized questions and procedures
that companies use to gather information about their users, with the primary goal to verify
identities, assess the risks posed, and ensure compliance with AML and CTF regulations.
They typically include a range of questions about the customers’ personal information,
occupation and sources of income, business activity, risk profile, and beneficial ownership.
The answers to these questions allow institutions to better understand their customer,
hence the name KYC, and prevent fraudulent activity or illicit transactions from occurring.
 33

They are an integral part of regulatory compliance efforts in terms of financial crimes, and
are sure to grow in popularity over the following years. However, adoption is still scarce. In
fact, only three of the eight platforms surveyed impose similar measures:

A. Kraken: the exchange giant requires KYC questionnaires to access the platform’s
products and services, but only for clients residing in the European Economic Area
(“EEA”). For existing customers, an email is sent out when the questionnaire is live in
their country. In the case of new ones, the questions are integrated in the
onboarding process.29

B. Blockchain.com: unlike the previous exchange platform, Blockchain.com’s

questionnaire is much more thorough. As a matter of fact, their survey is called EDD
Questionnaire, because Enhanced Due Diligence is one category over Customer
Due Diligence in the KYC risk rating scale, which begins with Standard Due
Diligence; EDD Customers are of high potential risk. Consequently, instead of a
singular set of questions, Blockchain.com requires users to fill out several
questionnaires under categories such as the Nature and Purpose of Business
Relationship.

C. Binance: similar to the previous platform, Binance may require you to undergo an
EDD verification process to enhance account security. This questionnaire may ask
you to declare if you are a Politically Exposed Person (“PEP”) or even request users
to upload documents as a declaration of their Source of Wealth (“SOW”).30

3.3.2.5 Tax Residency Accreditation

A tax residency, as can be inferred from the name, is a country where you’re subject to be
taxed. The particular criteria on tax residents varies from one jurisdiction to another. In
general terms, it is the country where you spend most of your year, or so is defined in
Revolut’s help page.31 Why Revolut? Because they are the world’s third largest neobank—a
bank that operates solely online—and happen to be a cryptocurrency for fiat currency

29
Kraken. “Know Your Customer Questionnaire.” Support.
30
Binance. “How to Complete Enhanced Due Diligence (EDD) Verification on Binance.”
31
Revolut. “What Is My Tax Residency?: Revolut Spain.” Revolut, n.d.
 34

exchange platform as well as wallet custodians, the ultimate obliged subject. Not many
crypto-centric obliged subjects have tax residency requirements. However, Kraken and
Bitgo do ask for tax identification. In the case of Revolut, they ask for name, resident’s
address, date of birth, tax residence documentation, and tax identification number.32

3.3.2.6 Transaction Monitoring

The leading entity behind transaction monitoring is Coinbase, with their scaled compliance
solutions they are powering the compliance of regulated entities for governments, financial
institutions, and crypto businesses. Their system is centered around three activities, they:
I. “Investigate illicit activities including money laundering and terrorist financing,
II. Screen risky crypto transactions to ensure regulatory compliance, [and]
III. Monitor transaction and user risk as your business scales.”33

In terms of law enforcement, Coinbase offers to link addresses to entities in order to track
the flow of funds and be able to plot ERC-20 and BTC tokens on a graph using their
proprietary clustering algorithm: Coinbase Tracer (pictured below). This software allows
users to view multiple tokens on a singular cryptocurrency flow, allowing them to analyze
the blockchain, assign risk scores and be alerted to counterparty risk. It further allows
investigating high risk entities and transactions while giving governments access to the
same on-chain data of millions of users that coinbase uses for their own internal
investigations.

32
Revolut. “Why Does Revolut Collect Tax Information?: Revolut Lithuania.” Revolut, n.d.
33
Coinbase. Scaled compliance solutions from coinbase, n.d.
 35

Coinbase goes further than typical compliance, with the use of Travel Rule Universal
Solution Technology or TRUST, a global and secure Travel Rule compliance platform. The
Travel Rule is a United States legal provision that requires financial institutions to provide
basic information about their users when they send funds over three thousand dollars to
other financial institutions. TRUST, thus provides the Virtual Asset Service Provider (“VASP”)
using it with a system that identifies all Travel Rule-eligible transactions and all the
respective parties and encrypts the data through point-to-point channels that allow for a
secure transmission of data. It is a growing network of trusted VASPs that support the legal
and governance framework behind the Travel Rule and Anti-Money Laundering legislation.
 36

Chapter 4: Crypto Due Diligence Guide for Businesses

4.1 The Evolving Landscape of Cryptocurrency in Business and its Implications

4.1.1 Cryptocurrency in Business: An In-depth Exploration

The business world of today has undergone a transformation, with the introduction and
acceptance of cryptocurrency. As of June 2023 it became evident that digital currencies
were not a passing trend or a temporary phenomenon but a powerful force driving change.
Regardless of their size or reputation companies found themselves navigating the
captivating challenging realm of currencies.

Bitcoin emerged as the frontrunner closely followed by assets. Businesses started to view
these entities as more than alternatives to traditional currencies. They embraced a vision
where they not experimented with but actively integrated various digital assets into their day
to day operations. Two distinct approaches to adopting cryptocurrency in business became
apparent; one involved relying on third party services with a hands off strategy while the
other took a direct and hands on approach.

4.1.2 The Hands-off Approach

Businesses adopting the hands-off strategy primarily relied on third-party vendors to

manage their cryptocurrency transactions, often converting crypto assets back to fiat
currency immediately. This strategy offered a simplified entry into the digital asset realm,
allowing businesses to benefit from the burgeoning crypto market without delving into the
intricate details of managing digital currencies directly.

However, delegating third-party vendors with crypto transactions means businesses trust
these intermediaries to handle vital aspects, such as compliance with AML and KYC
regulations. While these vendors undoubtedly simplify the transactional process,
businesses must remain vigilant, understanding the evolving regulatory framework and
ensuring their chosen partners remain compliant.
 37

Pros:
1. Simplified Entry: Businesses can benefit from the cryptocurrency market without
the need for in-depth knowledge about managing digital assets.
2. Immediate Conversion: Immediate conversion to fiat currency reduces exposure to
the volatility of the cryptocurrency market.
3. Outsourced Compliance: Relying on third-party vendors means these vendors will
often handle compliance requirements, relieving businesses from this responsibility.
4. Reduced Operational Overhead: Businesses do not need to invest in
infrastructure, security protocols, or dedicated personnel for cryptocurrency
management.
Cons:
1. Dependence on Third Parties: Businesses place their trust in third-party vendors,
which can be risky if these vendors are not reliable or secure.
2. Potential for Non-compliance: If third-party vendors don't adhere to regulations,
businesses might face legal repercussions.
3. Reduced Control: Businesses have less direct control over their assets and the
transaction process.
4. Potential Fees: Using third-party services might involve fees or commissions that
can eat into profit margins.

4.1.3 The Hands-on Approach

In contrast, the hands-on strategy provides businesses with a more immediate and intimate
interaction with their cryptocurrency transactions. This could involve using third-party
custodians or even integrating crypto directly into the company's operational systems.
Here, businesses manage their crypto wallets, understand the distinctions between "hot"
and "cold" storage, and navigate the intricate maze of crypto-to-crypto exchanges.
This deeper involvement, while offering greater control and insight, also brings about its
challenges. Companies must familiarise themselves with the technicalities of crypto asset
management, from wallet structures to the nuances of second-layer protocol risks. Such an
approach requires solid foundational knowledge and continuous learning to evade potential
pitfalls.
 38

Pros:
1. Direct Control: Businesses have direct control over their cryptocurrency, enabling
immediate decision-making.
2. In-depth Insight: Direct management provides a better understanding of crypto
assets, their performance, and potential risks.
3. Flexibility: Businesses can decide when and how to convert assets, potentially
taking advantage of favourable market conditions.
4. Direct Compliance: Companies have full visibility and control over their compliance
with regulations.
Cons:
1. Increased Complexity: Managing cryptocurrency requires understanding various
concepts, such as "hot" and "cold" storage, crypto-to-crypto exchanges, and wallet
structures.
2. Operational Challenges: Businesses need to invest in infrastructure, and security
measures, and possibly hire experts to manage their cryptocurrency holdings.
3. Risk Exposure: Directly managing cryptocurrency exposes businesses to the
asset's volatility, potential for loss, and security threats.
4. Continuous Learning Curve: The crypto landscape evolves rapidly, requiring
businesses to constantly update their knowledge and adapt to changes.

Both approaches have their merits and challenges, and the best choice often depends on a
business's specific needs, risk tolerance, and long-term vision.

Irrespective of the chosen strategy, one constant remains: the tax and accounting
implications of crypto transactions. The unique nature of cryptocurrencies introduces a
myriad of financial considerations. Determining the value of transactions, understanding tax
implications, and ensuring compliance with ever-changing regulations are paramount.

4.1.4 Concluding Insights

The exploration of the relationship between business and cryptocurrency has been
incredibly enlightening. While digital currencies offer enticing opportunities they also come
 39

with their share of challenges. Businesses must adopt an informed and adaptable approach
to thrive in this evolving landscape.

Cryptocurrency is at the forefront of transforming the business world. As we delve deeper

into this realm we are filled with anticipation and excitement about the potential for
integration and innovation, within this frontier. The path ahead will undoubtedly be both
demanding and rewarding. (Source; Deloitte US, 2021)

4.2 Companies Accepting Crypto Payments

Cryptocurrency adoption as a form of payment has gained momentum across various

industries in recent years. This comprehensive list categorises companies by sector to
identify trends in adoption, analyses motivations behind their decisions, investigates
geographical distribution, and examines case studies of prominent adopters like PayPal,
Starbucks, Burger King, Microsoft, AT&T, Ryde, and Overstock revealing a growing trend of
cryptocurrency integration into various sectors of the economy.

· PayPal: In October 2020 PayPal took a step forward by allowing its customers to
purchase, hold and sell cryptocurrencies directly through their accounts. With
346 million accounts and processing $222 billion in payments during the first
quarter of 2021 alone PayPals decision was a strategic move to take advantage
of the growing interest in cryptocurrencies.
· Starbucks: Starbucks took a unique approach by partnering with Bakkt in
August 2018, allowing customers to convert their cryptocurrency holdings into
U.S. dollars for use in purchasing coffee. While not a direct adoption case,
Starbucks paved the way for innovative payment methods, showing the potential
for crypto in mainstream commerce.
· Burger King: In January 2020, Burger King in Venezuela began accepting
cryptocurrency payments through a partnership with Cryptobuyer. This move
aimed to assist Venezuelans battling hyperinflation, where the local bolivar had
lost 99% of its value since 2013. Burger King's adoption illustrated how crypto
can address real-world economic challenges.
 40

· Microsoft: Microsoft embraced Bitcoin as a payment option as early as 2014

through a partnership with Bitpay. Beyond accepting crypto, the company
delved into blockchain technology with the launch of Azure Blockchain Service
in 2015. This step showcased the potential of blockchain for broader
applications beyond payments.
· AT&T: In May 2019, AT&T became the first mobile carrier to offer a
cryptocurrency payment option, partnering with BitPay to enable customers to
pay their phone bills with Bitcoin. This decision aimed to provide convenience to
customers and stay competitive in the rapidly evolving tech landscape.
· Ryde: Ryde, a carpooling app in Singapore, introduced its crypto wallet,
enabling Bitcoin payments and becoming the first ride service to introduce
cryptocurrency payments into its platform, catering to tech-savvy users with its
innovative approach.
· Overstock: Overstock, a prominent American online retailer, partnered with
Coinbase to accept cryptocurrency payments like Bitcoin, Ethereum, Litecoin,
Dash, and Monero. This step aimed to facilitate the shopping experience and
remain at the forefront of technology adoption.

These companies serve as examples of how cryptocurrencies are gaining widespread

acceptance and being embraced by mainstream businesses. They have incorporated
cryptocurrencies into their day to day operations for reasons, including meeting customer
demands, embracing advancements and navigating through economic uncertainties. This
trend is expected to gain momentum as an increasing number of businesses recognize the
benefits offered by cryptocurrencies. (Analysis; The Implications of PayPal and Microsofts
Adoption of Cryptocurrencies, in the Future, 2023)

4.2.1 Based on the Article 2 of Spanish Law 10/2010

According to the guidelines stated in Article 2 of Spain's Law 10/2010, which

focuses on preventing money laundering and financing terrorism companies can be
categorised based on their obligations, for compliance:

Entities Likely to be Covered by Article 2:

 41

· PayPal: Engages directly in cryptocurrency transactions, which could classify it

as a provider of services for the exchange between virtual and fiat currencies.
· Ryde: Offers a crypto wallet, possibly classifying it as a custodian wallet provider
under Spanish regulations.
· Overstock: Accepts cryptocurrency as payment, potentially placing it under the
scope of entities that need to comply with AML/CFT regulations related to virtual
currencies.

Entities with Indirect Involvement:

· Starbucks, Burger King (Venezuela), and AT&T: Their indirect involvement
through third-party platforms might place them in a less direct category of
compliance, but the specifics would depend on the nature of their contractual
relationships with the cryptocurrency service providers.
· Microsoft: Uses blockchain technology and accepts Bitcoin payments, which
might require compliance with relevant AML/CFT regulations, particularly if they
are involved in the exchange or custody of cryptocurrencies.

In the context of Spanish Law 10/2010, these companies, especially those directly handling
or exchanging cryptocurrencies, would need to adhere to specific AML/CFT requirements,
including customer due diligence and transaction reporting.

4.3 Securing Crypto Payments

To ensure the legitimacy of cryptocurrency transactions, businesses can implement various

strategies and verification mechanisms. These measures are crucial for mitigating the risk of
fraudulent activity in cryptocurrency acceptance. Here are key approaches to enhance
verification processes:
1. Partnering with Reputable Cryptocurrency Payment Providers: An effective
approach is to form partnerships with known cryptocurrency payment providers, like
BitPay, Coinbase and Flexa. Another option is to integrate with established
cryptocurrency networks that have a reputation. By collaborating with these industry
leaders businesses can benefit from their expertise and strong security measures to
ensure validation and authorization of transactions.
 42

2. Know Your Customer (KYC) Procedures: Incorporating KYC procedures can

improve verification processes. KYC involves gathering necessary customer
information during registration or at the point of sale to verify identities and detect
potentially suspicious activities. By implementing this approach, businesses can
achieve more profound insights into their customers' behaviours, preferences, and
needs, all while mitigating the risks of fraudulent activities.
3. Multi-Factor Authentication (MFA): By asking users to supply certifications other
than their password, multi-factor authentication techniques give extra protection.
This could entail combining traditional login and password combinations and
biometric data, such as fingerprints or facial recognition technologies.
4. Real-Time Transaction Monitoring and Analysis: Employing transaction
monitoring tools that utilise machine learning algorithms can help identify patterns
indicative of fraudulent behaviour in real time. These sophisticated systems analyse
large volumes of data quickly and accurately flag any suspicious activities for further
investigation.

By adopting these proactive approaches towards verifying cryptocurrency transactions,

businesses can minimise fraud risks effectively while providing secure payment options for
their customers.

4.3.1 ­Ensuring Compliance in Cryptocurrency Transactions

4.3.1.1 Customers' Compliance

When individuals or businesses participate in cryptocurrency transactions they have a

responsibility, in upholding the legitimacy and security of these transactions. Here are
important considerations regarding customers compliance:
1. KYC (Know Your Customer) Procedures: To ensure the security of cryptocurrency
transactions customers are required to undergo KYC procedures, which involve
providing personal identification information to verify their identity. These procedures
are crucial in confirming the authenticity of individuals and businesses involved in
high value transactions as they help prevent activities.
 43

2. Transaction Reporting: In regions and, for transactions of value individuals may be

required to inform relevant authorities about their cryptocurrency dealings. Reporting
these transactions assists government agencies in monitoring and overseeing
cryptocurrency activities involving amounts of money. It is a measure to uphold
transparency and ensure compliance with regulations, in the cryptocurrency
ecosystem.
3. Adherence to Platform Policies: Users are required to follow the guidelines and
terms of service established by cryptocurrency service providers such as BitPay.
These guidelines are put in place to guarantee compliance with the law and prevent
any activities creating a reliable space for cryptocurrency transactions. Not abiding
by these guidelines could lead to account suspension or legal consequences
underscoring the significance of adhering to them.

4.3.2 What is BitPay

In the changing world of digital finance, companies looking to participate in the digital
economy have found third party services, such as digital currency payment processors to
be increasingly important. These services play a role in ensuring security and compliance
making it easier for businesses to seamlessly incorporate cryptocurrencies into their
operations. One key aspect of this integration is implementing measures to prevent fraud
and mitigate risks associated with money laundering while also adhering to laws and
regulations. It's not about following rules; it's about maintaining the trustworthiness and
integrity of businesses operating in the realm. By leveraging the expertise of third party
providers companies can navigate complexities while embracing the opportunities
presented by currencies finding a balance between innovation and legal responsibility.

For businesses operating in Spain those to Article 2 of Law 10/2010 there is a dual
challenge; embracing cryptocurrency opportunities while ensuring compliance with strict
anti money laundering (AML) and counter terrorism financing (CTF) regulations. A crucial
part of this challenge involves finding ways to safely integrate cryptocurrency transactions
into their operations without violating any requirements. To illustrate how businesses can
tackle these complexities successfully, let's look at BitPay—a leading provider of
cryptocurrency payment services—, as an example.
 44

BitPays approach to compliance serves as an example for companies seeking to engage

with digital currencies in a safe and legal manner while also complying with Spanish laws
and international regulations. BitPay, established in 2011 is a cryptocurrency payment
service provider that enables merchants to accept Bitcoin and other cryptocurrencies. They
offer solutions for both in person transactions minimising the risks associated with
cryptocurrency volatility. Additionally BitPay provides services such as cryptocurrency
wallets, prepaid Mastercards and other financial solutions tailored for the asset space.

4.3.2.1 Bit Pay’s Compliance

Service providers like BitPay are essential in facilitating cryptocurrency transactions while
maintaining regulatory compliance. Here's an overview of Bit Pay’s regulatory measures and
practices:
1. KYC and AML Procedures: BitPay maintains a Compliance Team that takes charge
of handling KYC, Regulations and the Legal Status of Cryptocurrency. These
professionals work diligently to ensure that BitPays operations remain in compliance
with laws and regulations. Through the implementation of KYC and AML protocols
BitPay carefully verifies the identities of both individuals and businesses utilising
their platform for transactions involving substantial amounts. This thorough
verification process enhances the security and credibility of cryptocurrency
transactions.
2. Compliance with U.S. Sanctions: As a company BitPay follows all required local
regulations. Specifically it adheres to the sanctions imposed by the Office of Foreign
Asset Control (OFAC) at the U.S. Department of Treasury. These sanctions prevent
U.S. Companies, including BitPay from conducting any trade activities, with
individuals or businesses located in countries under sanction. By complying with
these sanctions BitPay ensures that its operations are conducted within the
boundaries of the law.
3. Regulatory Oversight: BitPay follows all Financial Action Task Force (FATF)
standards and is governed by the Financial Crimes Enforcement Network (FinCEN).
4. Money Transmitter Licence (MTLs): In the U.S, BitPay has obtained over 20
Money Transmitter Licence (MTLs), including the highly stringent New York
 45

BitLicense. These licences are crucial for operating legally as a payment processor
in various states. The acquisition of these licences signifies Bit Pay's dedication to
compliance, as they necessitate a significant internal regulatory compliance
infrastructure. Moreover, having MTLs indicates compliance from both a regulatory
and cybersecurity standpoint.
5. Sanctions Compliance Controls: BitPay implemented sanctions compliance
controls as early as 2013 and formalised its sanctions compliance program in 2014.
These controls include conducting due diligence on merchant customers to ensure
adherence to sanctions programs and other regulatory requirements.
6. Regulations: Adherence to the upcoming Markets in Crypto Assets (MiCA)
regulations is crucial for international businesses, especially those looking to operate
in the European Union. Bit Pay's compliance department is positioned to educate
and guide merchants through the compliance and legal landscapes of different
geographies.
7. Educational Resources for Merchants: BitPay places importance on offering
materials and guidance to merchants as part of their commitment to compliance.
They provide an explanation of the onboarding process for consumers including the
Know Your Customer (KYC) verification. Through educating their merchant partners
BitPay enables them to effectively navigate the environment promoting transparency
and ensuring compliance with all requirements.

Through these comprehensive measures, BitPay strives to create a compliant and

trustworthy environment for businesses and individuals to conduct cryptocurrency
transactions. This commitment addresses concerns regarding the legitimacy and origin of
funds, ensuring regulatory compliance throughout the cryptocurrency ecosystem.

4.3.2.2 Customer Story - Case Study: Newegg

Newegg Accepts Cryptocurrency, Gets New Global Customers

Industry: Electronics, Computer Hardware
Headquarters: Whittier, CA
 46

Customer Overview
Established in 2001 Newegg stands as the retailer, with a strong focus on technology in
North America. It caters to customers across, than 80 countries placing importance on
customer satisfaction and continuously working towards providing an unparalleled online
shopping journey.

Challenge
Five years ago, motivated by the company’s customer-first mindset, Newegg wanted to
attract new buyers who preferred to pay using cryptocurrency. As Newegg’s CMO said at
the time: “Newegg’s customers are among some of the earliest bitcoin miners and are
enthusiastic proponents of the cryptocurrency. Adopting Bitcoin as a payment method is
another way we’re responding to our customers’ diverse needs.” However, Bitcoin’s
volatility made accepting, holding, and liquidating cryptocurrency payments an issue for
Newegg in addition to the other technical challenges of creating and maintaining their
cryptocurrency acceptance system.

Solution
To resolve these issues, Newegg turned to BitPay. With Bit Pay’s seamless process, they
were able to accept cryptocurrency from their customers at scale and receive USD
settlement from BitPay the next business day. The solution worked so well that Newegg
expanded its cryptocurrency payment option into Canada in 2018 and across the globe a
year later. Today, Newegg accepts cryptocurrency in 72 countries.

Worldwide Acceptance
According to Newegg the adoption of cryptocurrency as a payment method has seen an
increase on a level compared to the United States and Canada. Since expanding its
acceptance of cryptocurrency, beyond North America Newegg has observed that five times
payments are being made using digital currencies worldwide within the same timeframe.

Results
Since teaming up with BitPay in 2014 Newegg has seen a surge in customers who prefer
using cryptocurrency to shop and make payments. This has resulted in increased revenue.
The worry of credit card fraud and chargebacks. According to Newegg both the
 47

cryptocurrency community, as their existing customer base were thrilled about the global
launch of cryptocurrency payments. Many potential customers worldwide either lack credit
cards. Wish to avoid fees associated with traditional cross border transactions. For
individuals cryptocurrency payments offer an alternative and give businesses like Newegg a
competitive edge as they expand on a global scale.

4.4 Accepting Cryptocurrency: Risk Assessment

After conducting research on cryptocurrencies it became clear that the introduction of

technology has significantly impacted the banking industry. However it has also
inadvertently opened up opportunities for crimes. Surprisingly in 2021 illicit transactions
involving cryptocurrencies reached $14 billion nearly doubling from the previous years $7.8
billion.

Considering this context and the evolving regulatory environment surrounding

cryptocurrencies, companies must actively comprehend their compliance responsibilities. It
is not, about following laws but genuinely understanding and mitigating the risks they
encounter.

We discovered five essential recommended practices for efficient cryptocurrency

compliance during our investigation:
1. Comprehensive Risk Assessment: The FATF's recommendation for a risk-based
approach to AML/CFT compliance stood out prominently. We found that firms could
establish robust risk profiles by emphasising rigorous onboarding, transaction
monitoring, and maintaining an acute awareness of the regulatory pulse. Moreover,
with cryptocurrencies being a predominantly digital asset, it is essential to delve
deep into virtual asset risk assessments, acquainting yourself with the intricacies of
each asset.
2. Understanding Criminal Typologies: The findings revealed a myriad of money
laundering techniques exclusive to the cryptocurrency domain, from layering, where
illicit assets are circulated through multiple transactions, to the intriguing method of
'dusting', where numerous tiny transactions are made to confuse monitoring
 48

systems. Also, the rise of stolen NFTs, darknet transactions, and crypto wallet thefts
has added complexity to the challenge.
3. Building a Competent Compliance Team: The importance of a skilled compliance
team cannot be overstated. Our research observed that the most successful firms in
managing cryptocurrency risks had personnel with expertise in finance, policy, and
law enforcement. Such diverse expertise ensures a holistic approach to compliance,
covering all potential blind spots.
4. Technological Integration in Compliance: The technological underpinnings of
cryptocurrency compliance were fascinating. Firms can significantly enhance their
compliance processes by harnessing the power of digital identity verification
through biometrics, integrating AI for efficient data management, and leveraging
blockchain for secure data storage. The convergence of these technologies not only
streamlines compliance but also adds layers of security that are paramount in this
domain.
5. Effective Stakeholder Management: One of the most pivotal findings from the
research was the importance of stakeholder management. Proactive stakeholder
management emerged as a cornerstone of effective cryptocurrency compliance,
whether fostering clear communication channels, appointing dedicated officers like
the MLRO, or regularly updating compliance employees with the latest AML/CFT
best practices.

In conclusion, with its vast potential and inherent risks, the cryptocurrency landscape
presents a unique challenge for businesses. Firms can confidently navigate this complex
space by diligently implementing the best practices outlined, ensuring security and
compliance in all cryptocurrency initiatives.

4.4.1 Navigating the Complexities of Cryptocurrency Compliance: Lessons from the

Binance Money Laundering Case

The world of cryptocurrencies has always had its share of opportunities and risks. The
recent situation involving Binance, which happens to be the cryptocurrency exchange
serves as a powerful example of these complexities.
 49

In a turn of events Binance and its CEO Changpeng Zhao have come forward. Admitted
their involvement in activities related to money laundering. As part of a plea agreement with
the US Justice Department Zhao has stepped down from his position. Paid fines amounting
to $4.3 billion. This incident has sent shockwaves through the cryptocurrency community
emphasising the need for adhering to obligations particularly in combating money
laundering (AML) and terrorism financing (CFT).

Implications for Businesses

· Increased Regulatory Attention: The Binance case highlights the escalating
regulatory bodies' scrutiny of the cryptocurrency sector. Businesses involved in
digital currencies must prepare for more stringent oversight and potential
regulatory actions.
· Robust Compliance Programs: The incident underscores businesses' need to
establish and maintain robust compliance programs. This includes implementing
effective KYC procedures and continuous monitoring of transactions for potential
illicit activities.
· Reputation and Trust Factors: Trust and reputation are paramount in
cryptocurrency. The Binance case demonstrates the rapid erosion of trust that
can occur with compliance failures, emphasising the need for businesses to
associate with partners who uphold high ethical standards.
· Market Confidence and Volatility: Such high-profile cases can significantly
impact market confidence, leading to increased volatility in the cryptocurrency
markets. Businesses must factor this into their risk assessments and strategic
planning.

Lessons from the Binance Case

· Due Diligence on Partners: The Binance incident reminds businesses to
conduct thorough due diligence on their cryptocurrency partners. This is crucial
to ensure that these partners have a solid track record of compliance and ethical
operations.
· Legal Landscape Awareness: Staying ahead of the evolving legal and
regulatory landscape is essential for businesses in the cryptocurrency sector.
 50

This includes understanding the legal implications and requirements in different

jurisdictions.
· Integrated Risk Management: Incorporating potential regulatory risks and
reputational considerations into the overall risk management strategy is vital for
businesses operating with cryptocurrencies.

The recent incident involving money laundering at Binance serves as a lesson about the
dangers associated with the cryptocurrency market especially in terms of following
regulations and maintaining ethical practices. It is crucial for companies entering this field to
focus on establishing compliance systems, conducting assessments of potential partners
and gaining a deep understanding of the legal environment. By studying cases like Binance
businesses can navigate the landscape of cryptocurrencies, with security and achieve
higher levels of success.

4.5 Identity Verification

4.5.1 Cryptocurrency

Without a doubt the remarkable surge in popularity of cryptocurrencies like Dogecoin,

Ethereum and Bitcoin has captured the attention of people worldwide. However like any
emerging industry it has faced challenges in terms of security and regulation. Research
indicates that there is a conflict between the need for oversight and the demand for rapid
innovation especially considering the increase in fraudulent activities.

One concerning trend I've noticed is the exploitation of security vulnerabilities in exchanges
by individuals. These wrongdoers have managed to syphon off amounts of cryptocurrency
assets by creating accounts using counterfeit identities or taking over existing ones with
stolen information.

In response to this trend crypto exchanges and related entities have been actively working
to enhance their security measures and comply with evolving regulations. Traditional
practices such as asking users to submit identification documents or take selfies are no
 51

longer sufficient. These methods can be easily bypassed by using images obtained illicitly
from media or data, on the dark web.

Cryptocurrency businesses should implement stricter identity verification procedures.

However upon investigation we encountered a challenge; these security measures must
ensure the highest level of protection while preserving a seamless user experience.
People are drawn to cryptocurrencies for a variety of reasons, including their ease of use
and the promise of transactions.

4.5.2 Blockchain Ecosystem

We came across some findings while trying to understand how identity verification works in
the world of cryptocurrency. Nowadays businesses rely on more than fixed information.
They are actively monitoring users actions and behaviours in time by using "dynamic"
identification data. This approach has its pros and cons. On one hand it provides a view of
a user's identity but on the other hand it also exposes them to potential fraud and privacy
breaches.

Sophisticated identity verification solutions have become crucial for companies that strive
to strike a balance between strong security measures and user convenience. These
solutions go beyond authenticating ID documents. They integrate data from sources like IP
addresses or third party datasets such as voter registration records enabling the creation of
dimensional user profiles that are difficult to counterfeit.
There are moments when these verifications become particularly important such as during
the onboarding process when executing high value trades or when attempting wallet
transfers. Users may encounter layers of identity checks that involve inputting codes sent to
their devices or even submitting real time photos or videos of themselves for authentication.

However there remains a challenge. In this era users expect seamless experiences and
demand swift account creation and transaction processes, with minimal disruptions.
As a result cryptocurrency companies find themselves in a balance striving to create user
experiences while also protecting their platforms from potential threats.
 52

Chapter 5: Due Diligence Best Practices

5.1 Money Doesn’t Grow on Trees

As the title of this section suggests, identifying the origin of funds as well as determining the
beneficial ownership are crucial components of AML and CTF compliance. This diligence
ensures that financial transactions are transparent and that their users are held accountable,
mitigating the risk of illicit activity associated with cryptocurrencies. Although the adoption
of digital assets still faces some resistance, major companies such as Starbucks, Microsoft,
and those discussed in section 4.2 have embraced cryptocurrencies with open arms,
underscoring mainstream recognition. By adopting measures that can be translated into
actual obliged objects, these industry leaders set a precedent for responsible financial
practices in the crypto space, contributing to the legitimacy and widespread acceptance of
cryptocurrencies in the global economy.

5.1.1 KYC Measures

As discussed in sections 3.3.2.3 and 3.3.2.4, we have established the following best
practices:

1. Identity Verification: apart from requiring full name, it is crucial to request a valid
form of identification, mainly a government issued ID. On top of this, it is important
to gather proof of identity by asking for a selfie, commonly done through AI
softwares that matches the picture in the ID provided to the picture of the user taken
in real time, not uploaded.
2. Address Information: it is vital for regulated entities to require address information
and proof of address from their customers. Proposed documentation includes: utility
bills, brokerage statements, mortgage statements, and property tax statements.
Another option is any document issued within the last 3-6 months that includes full
name, residential address, date of issue, issuing authority, and reference to the
issuing authority (logo or contact information).
3. Tax Residency Documentation: sometimes satisfied by the two previous
measures, we recommend accrediting tax residency of all customers. This can be
 53

done by requesting for a Taxpayer Identification Number (TIN), for example user’s
DNI or NIE in Spain or SSN in the United States.
4. KYC Questionnaires: we believe that including some type of KYC questionnaire
allows obligated subjects to properly assess their customers’ intentions. Once
completed, we recommend categorizing customers based on risk levels determined
by their answers on subjects like occupation, nature of business relations, and any
that each firm may find relevant.

Honorable mention to verifying email addresses, which, as per our analysis all major
exchange platforms do. As a great way to attach an online persona to natural persons, all
obligated subjects should partake when possible.

5.1.2 Other Measures

Following the measures laid out in sections 4.3 and 4.4, we have developed the best
measures to follow when complying with AML and CTF regulations:

1. Transaction Monitoring: this may be, apart from the KYC measures, the most vital
approach to AML and CTF regulations. Real-time transaction monitoring coupled
with machine learning algorithms are the best way to identify fraudulent activity
quickly. This must be coupled with effective reporting mechanisms.
2. Multi-Factor Authentication (MFA): this measure adds a layer of protection for
users by requiring them to provide verification either from their email, an app, or
even biometric data. In doing so, customers are verifying for companies that they
are in fact the ones managing their account, and can be held accountable for their
transactions.
3. Risk Assessment: as mentioned in the previous section, attaching risk profiles to
customers allows firms to be on top of AML and CTF prevention, by having clearly
identified potential criminals.
4. Compliance Team: when possible, we recommend that companies create
compliance teams with personnel expert in AML and CTF compliance practices that
ensure obligations are being met, while identifying weaknesses in the system and
developing solutions.
 54

5. Stakeholder Management: commonly overlooked, this measure is pivotal to

effective compliance. It can be done through establishing communication channels,
regularly updating compliance policies, and even appointing a Money Laundering
Reporting Officer (MLRO).
6. In-house Formation: it is important that all employees are aware of the risks
associated with AML and CTF. For this we recommend mandatory training on these
concepts and on how to identify and report fraudulent activity to superiors. Not all
criminal activity looks the same, and understanding their typologies aids their
extinction.

5.2 To Outsource or not to Outsource

This section outlines the best way for companies to navigate AML and CTF compliance
following the two approaches laid in sections 4.1.2 and 4.1.3: hands-on, which involves
direct control, and hands-off, which relates to partnering with third parties. However, there
is more to the mere disadvantages and advantages of each approach. These
considerations, especifically the influence of a company’s size in the decision, will be
developed in section 5.3.

5.2.1 Inhouse Protocols

In general, not outsourcing a practice provides firms with direct control over the
decision-making as well as deeper insights into performance and risks. Enacting
compliance practices from within offers greater flexibility in the application of measures and
the conversion of assets from digital to fiat. Nonetheless, this method drags complex
concepts that not all firms are familiar with nor have the time to get familiarised with. On top
of this, from an operational perspective, a hands-on approach requires investments in
infrastructure, security measures, and even hiring compliance personnel. Managing
compliance from a cryptocurrency standpoint requires a continuous learning curve to keep
up with the evolving regulatory landscape.
 55

5.2.2 Third Parties

The main advantage of contracting third parties to handle compliance is shying away from
having to become familiar with the intricacies of cryptocurrency AML/CTF compliance;
especially for businesses with limited knowledge on the subject. From a crypto as a
payment method standpoint, a great advantage would be the ability to convert virtual
currency to fiat currency immediately, mitigating market volatility risks. Delegating this task
reduces operational overhead given infrastructure and personnel investments are
unnecessary, besides removing the responsibility and subsequent headspace to an extent.
But, there is no free lunch. Diminished control over compliance, assets, and transactions
can be detrimental to a company, besides possible hidden fees and commissions that can
impact profit margins. Lastly, depending on potentially-unreliable third parties may create
legal repercussions if such fail to comply with regulations. To overcome this, the following
section deals with a curated selection of tested and trusted third parties.

5.2.2.1 Suggested Third Parties

In our analysis we found reliable companies that make cryptocurrency acceptance and AML
compliance easier for companies that contract their services. Our suggestions are: Veriff,
BitPay, Flexa, and Coinbase. The first one is particularly for KYC compliance, as outlined in
section 3.3.2.3, and is our favourite option amongst the four. In the case of adopting
cryptocurrencies as a payment method, then BitPay is our preferred choice. However, the
decision on which company to partner with depends on the necessities of the contracting
party.

5.3 Size Matters

Compliance with Anti-Money Laundering requirements differs for small and large
companies. The latter typically have dedicated complicated teams and more capital to
invest in outsourcing KYC protocols or to purchase softwares that aid those processes. On
the other hand, small entities face resource constraints in terms of limited budgets but due
to their smaller client base, the volume of transactions is more manageable. Understanding
the nuanced considerations attached to firm size is vital for proper implementation of
measures.
 56

5.3.1 Small Obliged Subjects

As per Commission Regulation (EU) 651/2014 micro, small, and medium enterprises are
defined as follows:

Category Nº of Employees Turnover Balance Sheet

Medium < 250 ≤ 50M€ ≤ 43M€

Small < 50 ≤ 10M€ ≤ 10M€

Micro < 10 ≤ 2M€ ≤ 2M€

Considering the limited capital and manpower associated with smaller firms, we
recommend a hands-off approach. In terms of KYC, Veriff’s enterprise plans are fully
customizable and cost effective, tailored to the needs of the company.34 As a ballpark,
self-serve plans start at $49.00/month + $0.80 per verification.35 If the desired outcome is to
also accept virtual currency as a payment method, then BitPay offers a tiered pricing
mechanism: 2% + 25¢ for transactions < $500k, 1.5% + 25¢ for those ≥ $500k and ≤ $1M,
and 1% + 25¢ for transactions > $1M. Although higher fees are applicable to high-risk
industries.36

Nonetheless, partnering with a third party is not enough as a best practice for compliance.
Some internal measures must also be implemented. Particularly, we recommend all those
mentioned in section 5.1.1 as company size does not preclude their application. However,
the measures explained in section 5.1.2 are affected by size. Because of this, we believe
that the most appropriate measures for small obligated subjects are: MFA along with
transaction monitoring and in-house formation if possible.

5.3.2 Large Obliged Subjects

As outlined in the previous section, following Commission Regulation (EU) 651/2014, large
enterprises would qualify as any company that has more than 250 employees and more

34
Veriff, Veriff. “Identity Verification Pricing & Plans - Free Trial.” Veriff, n.d.
35
Veriff, Veriff. “Identity Verification Pricing & Plans - Free Trial.” Veriff, n.d.
36
BitPay. “BitPay: Buy Crypto without Fees: Store, Swap & Spend Bitcoin.” BitPay Pricing, n.d.
 57

than 50 million euros in turnover or more than 43 million euros in their balance sheet.
Regarding whether to approach compliance internally or externally, given the financial and
operational capabilities of a big firm, we suggest a mixture of both. Third parties such as
those mentioned in section 5.2.2.1 are highly specialized in their craft and can provide any
business, big or small, with expertise on KYC and AML compliance. Despite this, given the
advantages discussed in section 4.1.3, we believe that the best practice for large obliged
subjects is choosing the best of both worlds. In regards to specific measures, we believe
that big companies should aim at implementing all the measures mentioned in sections
5.1.1 and 5.1.2 to the best of their abilities, as this will ensure the utmost compliance with
AML regulations.
 58

Chapter 6: Conclusion

In conclusion, this thesis comprehensively reaffirms the dynamic and transformative impact
of digital assets on current business practices, particularly cryptocurrencies. At its core, it
illuminates the dual strategic approaches businesses adopt towards cryptocurrency
integration. The first, a hands-off approach, relies heavily on third-party services such as
BitPay for streamlined entry into the digital asset realm, emphasising ease and compliance.
The second, a hands-on approach, engages businesses directly in cryptocurrency
management, providing greater control and a deeper understanding of the crypto market.
This research brings attention to the increasing use of cryptocurrencies, in industries. It
highlights how global trade is changing due to evolving consumer preferences and the
emergence of payment methods.

Throughout this capstone project there is an emphasis on the importance of understanding

where funds come from. This is crucial for complying with regulations related to money
laundering (AML) and countering the financing of terrorism (CFT) as well as reducing the risk
of illegal activities associated with cryptocurrencies. The exploration and analysis presented
in this thesis are heavily influenced by the focus on fund origins.

This capstone goes beyond simple adoption tactics for businesses.It explores extensively
the need for strict compliance with Anti-Money Laundering (AML) and Combating the
Financing of Terrorism (CFT) laws, as Spain's Law 10/2010 serves as an example. In order
to preserve the integrity and reliability of these financial transactions, the thesis emphasises
the critical role that intermediaries play in integrating traditional financial institutions with the
digital economy while guaranteeing regulatory compliance.

The research also confronts the challenges in identity verification within the cryptocurrency
sector. Balancing the need for robust security measures against the importance of a
seamless user experience is a balancing act that remains critical in the evolving landscape
of digital finance. The advancement in transaction monitoring, powered by machine learning
algorithms, is highlighted for its effectiveness in detecting and preventing fraudulent
activities.
 59

After conducting an investigation the report proposes an approach to mitigating risks by

leveraging the services of third party providers. This tactic takes advantage of the
knowledge and regulatory frameworks established companies in the cryptocurrency
industry possess thus decreasing the chances of activities. However the thesis underscores
the importance of exercising caution when engaging with entities making sure they adhere
to all obligations. This methodology aims to harness the advantages offered by currencies
while simultaneously minimising noncompliance and fraudulent risks.

A key takeaway from the study is the diversity of obligated subjects in the cryptocurrency
space, ranging from exchange platforms to wallet custodians. Insights from primary
research, including opinions from industry leaders, emphasise the uniqueness of
cryptocurrency and the need for regulation tailored to its specificities. The thesis echoes the
sentiment that regulation should not aim to stifle the growth of cryptocurrencies but should
instead evolve around their unique characteristics.

Notably, the research eliminates the myth of anonymity in cryptocurrencies, highlighting the
traceability of digital assets since their inception. Data from Chainalysis reports show a
significant decrease in illicit activities in the crypto space, attesting to the increasing
efficiency of transaction monitoring systems. These systems are instrumental in catching
criminals and are pivotal in retrieving funds in the event of fraudulent activities.

The thesis also addresses the misconception of tax evasion in crypto, noting that many
jurisdictions now require cryptocurrency transactions to be included in income tax forms.
This shift towards efficient regulation is exemplified by Japan, which has positioned itself at
the forefront of blockchain technology and Web 3.0.

Analysing eight major cryptocurrency companies, the study identifies gaps in the required
proof of provided information. It argues for proof of identification, address, and tax
residency accreditation to bolster AML and CFT prevention efforts. The effectiveness of
KYC questionnaires is highlighted for their ability to gather crucial information and
categorise risk levels, with predictions for their increased adoption.
 60

The thesis culminates in asserting the critical role of transaction monitoring as a key pillar in
preventing fraud, money laundering, and terrorist financing. The full adoption of machine
learning algorithms, capable of identifying fraudulent activity and tracing the history of token
transactions, is emphasised as the cornerstone of practical AML efforts.

Future studies could focus on enhancing fraud detection in cryptocurrency transactions,

utilising advanced technologies like AI and machine learning for real-time fraud prevention.
Additionally, a deeper exploration into blockchain forensics could provide valuable insights
into tracing and recovering assets from illicit transactions. Further research is warranted in
examining the evolution of regulatory and legal frameworks aimed at constraining crypto
fraud, mainly through a comparative analysis across various jurisdictions. Lastly, research
must determine how well consumer education initiatives work to spread knowledge of safe
cryptocurrency practices, which is crucial for averting fraud.

Overall the partnership with Grant Thorton highlights the importance for businesses to
effectively combine the advantages of currencies with a dedication to following regulations
and maintaining operational honesty. As our society becomes more digitised it is crucial for
businesses to adopt this approach in order to achieve prosperity and preserve trust and
credibility in the ever changing digital economy. This thesis serves as a manual for
businesses as they navigate the dynamic realm of cryptocurrency. It offers insights and best
practices, for integrating and regulating within this new digital landscape.
 61

Bibliography

Bambysheva, Nina. “Todo Lo Que Japón Puede Enseñar al Mundo Sobre La Regulación de Las

Criptomonedas.” Forbes España, May 9, 2023.

https://forbes.es/criptomonedas/275405/todo-lo-que-japon-puede-ensenar-al-mundo-sobre-la-

regulacion-de-las-criptomonedas/.

Binance. “How to Complete Enhanced Due Diligence (EDD) Verification on Binance.” Binance

Support, n.d.

https://www.binance.com/en/support/faq/how-to-complete-enhanced-due-diligence-edd-verifc

ation-on-binance-2d42f7966ee44622ad2e29a34324c96e.

Binance. Identity documents policy – binance.US, n.d.

https://support.binance.us/hc/en-us/articles/360047428293-Identity-Documents-Policy.

Binance. “Identity Verification for Buying Crypto with Credit/Debit Card on Binance.”

Binance, Verification, KYC, n.d.

https://www.binance.com/en/support/faq/identity-verification-for-buying-crypto-with-credit-d

ebit-card-on-binance-360041015712.

Bitgo. Privacy, n.d. https://www.bitgo.com/legal/privacy/.

BitPay. “BitPay: Buy Crypto without Fees: Store, Swap & Spend Bitcoin.” BitPay Pricing, n.d.

https://bitpay.com/pricing/.

Bitso. “Bitso.” LinkedIn, n.d. https://www.linkedin.com/company/bitso/.

Bitso. “The Simplest Way to Use and Buy Cryptocurrencies.” Bitso, n.d. https://bitso.com/.

Blockchain. How do I verify my identity? – blockchain support center, n.d.

https://support.blockchain.com/hc/en-us/articles/360018080172-How-do-I-verify-m

y-identity-.

Coinbase. “How to Buy & Purchase Cryptocurrency.” Coinbase, n.d.

https://www.coinbase.com/how-to-buy#:~:text=You%20will%20need%20a%20valid,dependi

ng%20on%20where%20you%20live.

Coinbase. Scaled compliance solutions from coinbase, n.d.

https://www.coinbase.com/compliance.
 62

eToro. NanoRep widget, n.d.

https://etoro.nanorep.co/widget/widget.html?kb=1162503822&account=etoro#onloadquestion

id=1185235252.

Europol. “Europol Supports Spanish Authorities in Taking down Europe’s Biggest Narco Bank.”

Europol, October 14, 2022.

https://www.europol.europa.eu/media-press/newsroom/news/europol-supports-spanish-author

ities-in-taking-down-europes-biggest-narco-bank.

Financial Action Task Force. “FATF 40 Recommendations - Financial Action Task Force.” Financial

Action Task Force, October 1, 2012.

https://www.fatf-gafi.org/content/dam/fatf-gafi/recommendations/FATF%20Standards%20-%

2040%20Recommendations%20rc.pdf.

Financial Action Task Force. FATF (2014), Anti-money laundering and counter-terrorist financing

measures - Spain, Fourth Round Mutual Evaluation Report, FATF.

www.fatf-gafi.org/topics/mutualevaluations/documents/mer-spain-2014.htmlFATF (2014)

Gemini. How do I verify my identity in the app? – Gemini, n.d.

https://support.gemini.com/hc/en-us/articles/360020715531-How-do-I-verify-my-identity-in-t

he-app-.

Gemini. “How to Buy Bitcoin (BTC): Buy Bitcoin in 6 Simple Steps.” Gemini, n.d.

https://www.gemini.com/how-to-buy/bitcoin.

Karlsen, Jonathan R., and Talis J. Putnins. “Sex, drugs, and bitcoin: How much illegal activity is

financed through cryptocurrencies?” SSRN Electronic Journal, Jan. 2019,

https://doi.org/10.2139/ssrn.3102645.

Kraken. “Know Your Customer Questionnaire.” Support.

https://support.kraken.com/hc/en-us/articles/know-your-customer-kyc-questionnaire.

Kraken. “Support.” Kraken, n.d.

https://support.kraken.com/hc/en-us/articles/360021973671-How-to-get-verified-on-Kraken.

Labourne, Marion, and Jim Reid. “The Future of Payments - Part III Digital Currency.” DB Research,

January 20, 2020.

 63

https://houseview.research.db.com/PROD/RPS_EN-PROD/PROD0000000000504589/The_F

uture_of_Payments_-_Part_III__Digital_Currency.pdf.

PricewaterhouseCoopers. “More than a Third of Traditional Hedge Funds Now Invest in Digital

Assets, Nearly Double a Year Ago: PWC Global Crypto Hedge Fund Report 2022.” PwC,

2022.

https://www.pwc.com/id/en/media-centre/press-release/2022/english/pwc-global-crypto-hedg

e-fund-report-2022.html.

Revolut. “What Is My Tax Residency?: Revolut Spain.” Revolut, n.d.

https://help.revolut.com/en-ES/help/more/legal-topics/tax-information/what-is-my-t

ax-residency/.

Revolut. “Why Does Revolut Collect Tax Information?: Revolut Lithuania.” Revolut, n.d.

https://help.revolut.com/en-LT/help/more/legal-topics/tax-information/why-does-revolut-colle

ct-tax-information/.

Spanish Head of State. Law 10/2010 of 28 April, on the prevention of money laundering and terrorist

financing. BOE Nº103 of 29 April 2010.

https://www.boe.es/buscar/act.php?id=BOE-A-2010-6737&p=20230629&tn=2

Team, Chainalysis. “The Chainalysis Crypto Myth Busting Report: 33 Cryptocurrency Myths

Refuted.” Chainalysis, July 11, 2023. https://www.chainalysis.com/blog/crypto-myths/.

Venly. “Know Your Customer: Ensuring Compliance and Security: VenlyVenl.” RSS, n.d.

https://www.venly.io/post/know-your-customer-ensuring-compliance-and-security.

Veriff, Veriff. “Identity Verification Pricing & Plans - Free Trial.” Veriff, n.d.

https://www.veriff.com/plans/enterprise.

Veriff, Veriff. “Identity Verification Pricing & Plans - Free Trial.” Veriff, n.d.

https://www.veriff.com/plans/self-serve.
Thank You !

Rodrigo Ximena Mickie

Prepared For GRANT THORNTON

Prepared By XIMENA RODRIGUEZ, RODRIGO MARTINS & MICKIE GUINEA