Trustology Founder and CEO about the Important “Whys” of Compliance Within the Crypto Space

Alex Batlin, Founder and CEO at Trustology:

“What we do is help people safeguard and administer their crypto assets across blockchains, DeFi protocols, and exchanges. Emerging solutions like ours allow you to work to keep your crypto assets safe and deploy those assets across a range of opportunities to earn yield.”

200+ companies from 25 countries outsourced software development to Relevant

We provide companies with senior tech talent and product development expertise to build world-class software. Let's talk about how we can help you.

Contact us

Trustology has developed an insured, user-friendly custodial wallet platform for institutional-grade security, automation, and management of crypto assets. As a result, they make it safer, faster, easier, and more accessible for institutions and individuals to access crypto markets to manage, create or find value in crypto markets.

Table of Contents

• Meet Trustology: Good at Keeping Secrets and More in Crypto Markets
  The Custodian Wallet Provider’s role in FinTech.  
• AML Compliance: How Do You Address the Challenges? 
  What does it take to be compliant in crypto markets?   
• Make, Drive and Be the Perfect Team 
  An efficient internal team does not exclude Advisory.

Meet Trustology: Good at Keeping Secrets and More in Crypto Markets

Alex, tell us about what you are doing in Crypto Markets and what’s your primary mission? 

What we do is help people, particularly institutions, safeguard and administer their crypto assets. Typically, people look to custodians because they want to get a lot of value under their management. 

Emerging solutions like ours allow you to keep your crypto assets safe but simultaneously deploy those digital assets across various opportunities from trading through to staking or leveraged finance to earn yield, for instance. We’re focused more on servicing institutions, corporates, and private clients either in crypto markets or looking for exposure in digital assets. We do that because, essentially, one of the difficult things in crypto markets is allowing shared or multi-person access to assets.

Could you please elaborate on the difficulties institutions face?

The whole industry for cryptoassets came about with the individual in mind, i.e., peer-to-peer versus multi-person access model, which is needed for institutional adoption.  Typically, in the peer-to-peer model, people will have a kind of “dongle” or “hardware wallet” where the ‘secret’ key exists. This key gives the audience the ability to prove that they are the owner of the assets, and then, they can sign transactions with it to transfer assets. But the problem that arises with institutions is when you have multiple people potentially involved in the approval process for transactions. Hence, you need multi-person access to the assets, and a dongle or hardware wallet simply can’t work especially if teams are geographically dispersed. For example, imagine you have a company treasury for crypto assets. You probably need a CFO and the CEO to approve high-value transactions and transfers. Yes, you can share the private key with them. But if and when those folks leave, they can steal your funds. So, you’d never really want to give the keys to someone but provide the managed access control to those keys to sign the transactions. And even if there is no maliciousness involved, people sometimes lose keys on the blockchain, which is equivalent to losing their assets.

Additionally, if your security is not good enough, somebody can hack you. So, there are many opportunities with cryptoassets but equally many risks that people need to mitigate. That’s why people come to crypto custodians like us who can handle the security and transaction management required.

Compliance: How do you address the challenges? 

Would you agree that crypto assets seem to remain a relatively unregulated sector? 

Initially, crypto-assets were unregulated, but the fifth AML directive was introduced a few years back and finally came into force in 2020 and changed this. It basically said, “Look, they’re going to bring in new types of assets.” And these new assets are going to be categorized as either “exchange tokens” and “utility tokens.” Exchange tokens are Bitcoin. You call them “exchange tokens” because their primary utility purpose is to facilitate an exchange of value. Thus, they provide an alternative to fiat money. “Utility tokens,” on the other hand, are assets that can be used as exchange tokens in some cases but also as a form of payment for different services. Ethereum is a good example of this, where to process decentralized exchange transactions, you pay the network operator fees in Ether. The Ether then in and of itself has “utility”, as it’s paying for computation resources but at the same time has value, as a ‘pseudo currency’. So this is how these types of assets are featured within the parameters of EU regulation.

It’s important to note that different regulators do different things worldwide. However, as we are UK-based, of course, and after Brexit, where all of the EU directives were transposed, including the fifth AML directive it obligated UK-based entities, like custodian wallet providers such as ourselves—who are safeguarding and administering cryptoassets on our clients’ behalf—to become registered with the FCA as a cryptoassets business.  

Those registration practices are pretty demanding nowadays, and unfortunately, it’s much closer to authorization than registration. Oftentimes, when people think of registration, many folks think it’s a simple process of going to a database and putting in their details. However, such is not the case with the FCA. They perform extensive checks, look at your business model in great detail and at the compliance procedures and policies in place per program, technology, and pricing structure, and only then register you if the above criteria have been satisfied. That process was meant to finish by the end of 2020, people had to register their business if they were performing cryptoassets activities within the UK. If they didn’t register, then they wouldn’t be allowed to operate those activities any longer. However, the FCA  had so many applications for review that they didn’t have the time to finish in 2020. So, a select few companies such as Trustology were granted “temporary registration” until the final review was completed in March 2021 and July 2022, depending on when companies applied to register. 

What does being compliant mean in the FinTech cryptocurrency world?

In the US, you need to be registered as a qualified custodian. In Germany, a law was passed back in 2019 that required firms custodying crypto for Germans to apply for a crypto custody license or leave Germany. In the UK, if you don’t have the registration, you’re going to be shut down, and if you continue providing cryptoassets services without registration, you can face severe repercussions ranging from fines to jail time. So it’s a pretty simple incentive if you happen to be the Founder or Director of the company. But yes, I think this is an obvious thing – you need to have the registration to stay out of jail if you want to provide the service (laughs). But the flip side does give customers more assurance – the FCA is checking out those entities.

And what do you think of Sandbox as an excellent option to meet regulations and win credibility?

Sandbox is something created a few years ago. It wasn’t anything to do with crypto. However, the Sandbox is a valid mechanism as it essentially allows dialogue between the FCA and the companies in the cohort. It will enable them to issue a no-action letter. Like, if you do what we’ve discussed you do, we will not take any action against you. The FCA will not pursue actions against you if you act within the parameters of the agreement within a period. 

There could be several reasons the crypto world is just so out of “normality” that many people are struggling to engage. Once the EU regulation came out, the requirements became apparent. The rest is much more about how you practically implement compliance programs under the new regime. The reality is – you don’t often have a Counterparty as that’s also a registered entity. So it’s challenging to implement a trouble rule because it could be an anonymous address. So you have to take a risk. It’s always a risk-based approach, but this is like an ultra-risk-based approach. 

In the UK, the Joint Money Laundering Steering Group (JMLSG) was very beneficial. The current anti-money laundering steering group came up with a bunch of guidance notes under Section 21 and discussed the expectations. I think that helped to clarify a lot of the positions around that space. And then, of course, recently, the FATF issued international guidance on red flags for virtual assets and service providers, which influence much of the regulations in specific jurisdictions.

But there’s still a question about the custody space. Should a decentralised exchange be regulated as an exchange or not? 

Alex, the FCA has recently tightened regulations towards cryptocurrencies. How does it impact businesses looking to operate in crypto markets?

You know, now that the regime is in place, they’re essentially simply saying, if you’re not registered, then you need to cease activity. And of course, as the FCA works with each company that applies for registration, they do a thorough job understanding whether the compliance program is adequate. People who might not have come from a regulated background will find that a massive shock. Those of us who came from traditional banking would expect it to happen. We saw several companies that withdrew their registration because they weren’t prepared to go through that process.

The other issue is always around cost. The regulation provides many advantages, assurances and prevents terrorist financing and money laundering. But, on the flip side, it also increases costs. When looking at the KYC process, it can cost a lot of money to KYC and KYB clients if it’s a legal entity with complex structures. Subsequently, you have to monitor the transactions continuously and with high-risk customers that can be expensive. So, that means that essentially you have to pass those costs on to customers.

In some cases, business models with tiny margins that have to be regulated now are no longer possible. For example, some folks beforehand were offering retail, custodial wallet solutions that were almost free. But as soon as you have to start doing transaction monitoring and KYC, you can’t offer that. 

The use of self-hosted or non-custodial wallets is allowed which are privacy and identity preserving. In essence, it’s pushing people away from the custody solutions, where there is at least some association between identity and your transaction history to a self-service model. 

By pushing more towards very tightly regulated environments, you’re creating a situation where many individuals can’t obtain a custody service as it’s too expensive. Then they become even less regulated because there’s no association to an identity. It’s not a new phenomenon in traditional banking where a large contingency of underbanked people exists. They don’t have sufficient balances for banks but have enough risk to balance. They can’t afford banks. So, they go to the black market where, frankly, criminals assault them with enormous prices for markups and the ability to do digital transactions. So, we have to strike the right balance to prevent money laundering and people from turning to unregulated means of transacting. 

Make, Drive and Be The Perfect Team

Alex, tell us about the story of your experience. 

I worked in pretty large banks most of my life. I started at JPMorgan, followed by Nomura, and then moved to UBS. In UBS, I ended up running the innovation function, based in the UK’s Level 39 accelerator – Europe’s largest FinTech incubator. We were looking to spot money laundering terrorist financing through machine learning and looking to other innovative projects like crypto through the bank’s Crypto 2.0 Pathfinder research program into blockchain technologies. I got to learn a lot there, especially on how to do risk-based automated compliance. I was pretty lucky to have exposure to a lot of that. Working in a regulated environment, you’re forced to understand a lot about the regulation of the crypto space. 

I also recognized that blockchain’s application within banking was inevitable, but also highly necessary to revolutionize financial services and become the operating system that underpins the digital economy.  Then I started Trustology, first as a ConsenSys spoke, and then we spun out as a separate company, after closing £8m seed funding with ConsenSys and Two Sigma Ventures back in 2018. 

Now, with our FCA registration in hand, we’re looking forward to Trustology’s next chapter in institutional Defi and crypto markets. 

Maybe, there are some things which you wish you had known at the very beginning of your journey? Would you advise startups of anything?

As a startup, the first thing you need to do is find a product-market fit. And the faster you can do that, the quicker you can go to market. But, remember, you always have a limited runway. So, investing a lot and writing procedures/documents is always very difficult to justify. Why write the procedures and papers if you can’t prove that there is a market for the offering?

Second, you have to be regulated if you are planning to offer financial services. Hence, be prepared to write loads of documentation around the policies and procedures you have in place. So you’re in a constant rush to collaborate and balance the two tensions. I don’t think there’s a proper way of doing that, but you know the company’s culture has to change. Accommodate for that as soon as you are going down the regulator path. Have dry procedures and policies and have regular review sessions. That isn’t always easy to balance. However, I don’t think there is a golden answer. Just be aware that you need to add an extra 50% in time and effort to document everything as soon as you’re going down the regulated path.

As you mentioned, certification takes a lot of time. So maybe there are some hacks that startups can use to reduce the time and costs even?

Yeah, absolutely.  I think good consultants can speed things up. Because, essentially, you’re not reinventing the wheel. So, I would say, consider consultants to come in. Of course, there are good and bad ones (you will get lucky in having good ones). But still, it can speed up things a lot.

Also, you have to design with compliance in mind, e.g., your IT systems have to be good enough to log everything. So, audited logs with documentary evidence that you can supply – that helps a lot.

Were there some tricky issues you faced with the regulatory reporting? Are there any blind spots? 

I think the problem with any regulations is risk-based. There’s always a balance to strike because you have to decide around what’s suspicious and what’s not. There’s no such thing as “over-reporting,” and you want to provide quality information to the NCA or whoever you’re reporting to. So, justify your rationale. Then, get that balance right, doing the investigations. 

E.g., we use Chainalysis to understand the 10 degrees of separation between specific activities. That’s hard and, in crypto, significantly harder. For example, with typical banking, you always have regulated entities. That’s why you know who you’re dealing with, i.e., sender and receiver. When the money comes in, you need to understand if it’s suspicious or not; when money comes out, you need to decide if you should quarantine that or not. But once it goes to another service provider, your accountability stops on the blockchain as everything is recorded into a single ledger. 

So, even if the cryptoassets have moved from one address to another – it’s still a global kind of ledger. I can see where the money from one of our wallets goes on the blockchain regardless of how many blocks in it lands. And then if somebody does something suspicious, we get to know about it, and get alerted. So after that, you have to investigate and understand if they are performing something suspicious. In some ways, we have to do more because technology allows us to. No single bank is required to ask all the downstream banks they send the money to supervise their activities. So, I think that’s an area where we need to decide, along with regulators, what’s a reasonable cutoff point. I think there’s a little bit of a grey area there that needs to be worked through.

As I understand, you do not have your in-house compliance team. So, you turn to outside advisors, am I right?

Now, we have both an internal compliance team and external advisors. External advisors give you a fresh independent look at what’s happening. And having that third-party perspective is essential. The external people will not be as involved in the business as your internal team, so they’ll see everything differently. That’s why having different opinions can be helpful.

And what is the most significant advantage of having an internal team? 

They know your customers so well. But, if you’re an external console, it isn’t easy to know them already. So, getting to know your customer, understanding patterns – is the key.

Your Next Read