Q&A: Professional Negligence and Cryptocurrency (Part 2)

Q2: How can a forensic accountant assist in establishing liability in negligence against a crypto exchange?

Solicitors will always deal with issues of duty of care and causation, but a forensic accountant can handle matters of damages and what controls one would expect to find in a crypto exchange to protect their clients’ money.

The likely scenario is a claimant who wishes to claim against an exchange for negligence because they have been a victim of a scam/hack and believe the exchange has failed in its duty of care when administering the claimant’s wallet. Initially, customers often reach out to the exchanges for support. However, customer support is slow and inept for many users. After numerous emails and chat conversations, customers may look to their next option and bring a claim against the exchange. The critical document in determining the next step is the user agreement or terms of service. Often user agreements provide for mandatory arbitration.

The forensic accountant first needs to collate evidence to understand clearly what has happened and how, including the extent to which any party was negligent. How the exchange receives this request and responds will dictate how this matter proceeds legally. The forensic accountant should try to trace the flow of funds and identify the current location, ownership, and offenders. This can be achieved with the assistance of specialist investigators and software, which enables the forensic accountant to follow the trail of money and determine where it is now. The Know Your Customer (KYC) and Anti-Money Laundering (AML) checks that the exchange should have undertaken may assist in achieving this, particularly if the individual has been the victim of a scam. However, many of the exchanges, including the larger exchanges, have been found by the regulatory authorities to have inadequate systems for undertaking KYC/AML checks and have just been carried out as tick-box exercises. They have also failed to put adequate processes in place for transaction monitoring and suspicious activity reporting. Many exchanges have a backlog of customers needing enhanced due diligence.

Based on a holistic view of the information obtained in their application of customer due diligence (CDD) measures, exchanges should be able to prepare a customer risk profile. A customer’s profile determines whether to enter, continue, or terminate the business relationship. Risk profiles can apply at the customer level (e.g. nature and volume of trading activity, the origin of virtual funds deposited, etc.) or where a cluster of customers displays the same characteristics (e.g. customers conducting similar types of transactions or involving the same virtual assets). Exchanges should periodically update customer risk profiles of business relationships to apply the appropriate level of CDD. All customers should be screened against available blacklists.

Risk mitigation measures that may be employed are:

• time delays before certain automated and manual transactions can be carried out with a view to restrict the rapid movement of funds.
• the prohibition of transfer to third parties (i.e. the name on source and destination accounts must match where money is exchanged for crypto assets or crypto assets for money)

What ‘Know Your Customer’ checks are an exchange normally expected to undertake?

• the crypto exchange requests personal information
• the exchange verifies the customer’s identity
• the exchange corroborates the customer’s identity from official databases containing the relevant information
• assessing the purpose and intended nature of the business relationship or occasional transaction
• the exchange determines the customer’s risk profile
• if everything is in order, the client can engage in specific cryptocurrency exchange activities
• the information collected during the KYC process may include wallet addresses and transaction hashes
• measures to mitigate the risk of impersonation fraud for non-face-to-face transactions and relationships

Enhanced due diligence measures include:

• corroborating the identity information with information from third-party databases or other reliable sources
• searching the internet for corroborating activity information consistent with the customer’s transaction profile
• tracing the customer’s IP address, and
• requesting data relating to transaction and trading history

As well as internal tools to protect customers exchanges should:

• be able to detect which country a customer is onboarding from and offboarding to
• have adequate KYC/AML checks, which are not tick-box exercises
• be able to identify a pattern of transactions that are happening within a very short space of time, which may indicate intent
• have good data to detect potential scammers, and this data should be married with other tools within the organisation
• monitor the overall activity of the exchange’s customers to get a complete picture
• have transaction monitoring tools, and
• have ongoing monitoring

The forensic accountant can show a court what they would normally expect to see from an exchange after it has performed adequate KYC/AML checks and tell the Court what, in their opinion, is lacking/missing from the checks undertaken.

Exchanges have had plenty of time for their KYC/AML checks to develop and mature.

The forensic accountant, with the assistance of the legal team, may be able to recover some of these monies and mitigate their loss.

The forensic accountant will have to quantify the loss suffered using documentation supplied by the claimant and the exchange (transaction histories) to establish what crypto the victim held at that time and what was stolen from their account.

The forensic accountant will then need to investigate further how the theft happened and what the exchange could have done to prevent it.

If the cryptocurrency was stolen from the exchange in a hack, then it would be necessary to examine the exchange's security controls with expert assistance to determine if they were sufficient and would have been those that an ordinary prudent exchange would have in place.

Even the larger, well-known exchanges get it wrong. Only recently was a case brought against an exchange for alleged security failures that led to the repeated theft of ordinary customer accounts.

This exchange purported to safeguard the assets of customers from robbery or theft. However, it did a poor job protecting its user accounts from theft. It did an even worse job of working to mitigate those thefts after they had occurred, forcing customers to navigate a faceless and impenetrable automated customer service process that led nowhere. Despite significant fines, problems persist at the exchange, and customers continue to be fleeced by hackers who have access to the exchange’s systems. The claimant in this case had opened an electronic wallet stored on the exchange’s allegedly secure servers. Hackers gained access to the claimant’s account through no fault of the claimant and, after locking him out, emptied it completely. The claimant alerted the exchange but was only routed to the impenetrable automated complaints processing system, which made it impossible for him to redress the theft of his money.

This exchange advertised it as a trusted repository of customers' funds and the most secure platform for buying and selling cryptocurrency. It even claimed that ‘we’re the only crypto exchange to have never been hacked’ and boasted that it uses bank-level security standards applicable to its wallet and storage systems. Surprisingly, this exchange had already been hacked, and customer funds were stolen multiple times within the previous two years. Exchanges will make many other claims on their websites and social media regarding security and will often try to escape those duties by burying disclaimer language in their websites. This exchange eventually acknowledged that it was aware that a security vulnerability in its platform allowed hackers to access customers’ accounts and extract customer personal information.

Exchanges are well aware of the danger of hacking and its adverse impact on the exchange brand and reputation and certainly don’t want such instances publicising.

Solicitors will need to help the forensic accountant, using the Courts, if necessary, to get the required information from the exchange and show a direct link between the lack of security or reasonable care and the theft of the cryptocurrency.

Further information to obtain from an exchange includes:

• history of past hacks including the nature of them, what action was taken then and what action was taken to avoid such a hack happening again and whether this has been effective
• what action could have been taken by the exchange as soon as it was first advised of the loss to mitigate the loss and compare this to the action that was actually taken
• has this security failure now been rectified
• have other customers continued to suffer security breaches and losses of funds
• expertise of the people employed
• what ongoing training programs the exchange engages in
• what processes the exchange has to ensure that management has a detailed knowledge of the regulations and is aware of changes in regulations

Quincecare claims against exchanges appear to have many obstacles. Increased regulation by financial authorities could change that picture. As exchanges become more regulated, and such regulation is akin to traditional banking regulation, it will become more likely that the courts will be willing to impose duties of care on exchanges.