New York can force exchanges to block VPN access

The Attorney General of New York (NY AG) published a report in the late autumn on cryptocurrency trading platforms that operate in New York. One of the many interesting findings of the investigation was how virtual private networks (VPNs) can facilitate market manipulation.

VPN is an important tool for privacy-oriented cryptocurrency traders as well as it is the only way for some users to access these markets in countries such as China. Should local exchanges consider the report as a call to prohibit access to services via VPN?

Not necessarily, but they need to address this issue in the wider context of their overall compliance program.

In general, NYAG’s attention to VPN has been designated in the context of effective access control to ensure equity and market integrity, as well as customer protection. Access control begins with the basic rules of KYC, which are necessary to confirm the identity of new customers.

While the eight trading platforms that responded to the request of the prosecutor’s office, require customers to submit various forms of personal information and state identification before bidding, Bitfinex, for example, only requests an email address if trading only with crypto (there are different requirements in case of fiat deposits and withdrawals). In addition, the Tidex exchange, which states that it prohibits citizens of the United States from using the service requires only the email address, the name, and telephone number. Recently the exchange has filed an application to the Financial Crimes Enforcement Network (FinCEN) to obtain a license for monetary transactions.

A common additional access control for online companies is to monitor user IP addresses to determine their approximate geographic location and track suspicious behavior appearing from a specific computer connection. For example, transactions in multiple accounts coming from the same IP address may be suspicious. Simultaneous access from IP addresses that are not in close proximity can be a sign of fraud or cyber attacks.

IP addresses can be also masked using VPNs that route connections through a third-party network. This allows a person to simulate a place of residence in another jurisdiction or to open several accounts and pretend that they are not connected. Companies that block access to VPNs, such as Netflix and Hulu, are likely to take action against the well-known list of VPN servers. These controls are not perfect, since VPN services often change the IP addresses of servers to be one step ahead.

Although most exchanges that responded to a NYAG request reported that they control access by IP address, only two sites claimed to restrict access via VPN.

In addition the New York prosecutor’s office expressed concern that cryptocurrency exchanges that do not require identity verification for trading and do not take active measures for blocking access through VPN may not be able to deal with manipulation in trading.

For example, one person may open two accounts and engage in fictitious transactions when traders buy and sell the same asset again to create a false sense of market activity for price changes (which is also called pump and dump). Unfortunately, fictitious transactions are common in cryptocurrency markets, because exchanges are evaluated on the basis of trading volumes.

In the past summer, Blockchain Transparency Institute (BTI) published a study where it stated that the largest cryptocurrency exchanges overestimate trade volumes or participate in fictitious transactions. BTI explained that the 130 best trading platforms included in the study inflate daily trading volumes by more than $6 billion.