BankThink

The SEC was right to call Binance's geofencing bluff

Geolocation rules re: Finance
The lack of explicit geolocation rules and standards in crypto — and across financial services more broadly — creates enormous compliance issues, writes Will St. Clair, of GeoComply.
Pakin - stock.adobe.com

Regardless of how one feels about the SEC's stance on digital assets, the allegations contained in the charges the agency has filed against Binance are severe. Among the most notable allegations is the charge that certain Binance employees orchestrated a complex scheme to obtain and retain high-value U.S.-based users on their unregistered international exchange, which violates both U.S. law and Binance's own publicly stated policies.

When crypto exchanges use shadowy techniques to access U.S. markets, they undermine the viability of the U.S. as a base for legal, regulated digital assets. They unfairly siphon liquidity away from crypto platforms and other financial services providers that actually do invest the resources needed to protect end users. Americans are harmed as a result. 

To best serve U.S. citizens and investors, regulators need to be clear and provide guidance on how to comply: If a crypto platform doesn't want to comply with the U.S. requirements, that is their choice. However, they must then take proven, effective approaches to entirely avoid the U.S. market. 

Binance's alleged strategy to retain U.S. customers was two-pronged. Binance relied on easily circumventable IP address controls for their jurisdictional restrictions while incentivizing U.S. customers to use location-anonymizing technology to access their offshore platform.

According to the SEC, Binance "[encouraged] U.S. customers to bypass … restrictions through the 'strategic treatment' of virtual private networks (VPNs) that would disguise their locations and thereby 'minimize [the] economic impact' of Binance's public proclamations that it was prohibiting U.S investors on the platform." Additionally, the SEC alleges that this strategy was driven by senior-level leadership, with Binance CEO Changpeng Zhao allegedly directing employees to "implement a plan to encourage customers to circumvent Binance's geographic blocking of U.S.-based IP addresses by using a VPN service to conceal their U.S. location." 

While the systemic encouragement of noncompliant practices is specific to the allegations against Binance, numerous companies in the crypto industry — even ones with smart compliance teams working in good faith — construct jurisdictional compliance programs with inadequate IP address technology. 

Internet Protocol (IP) addresses have been the status quo data point for user geolocation for four decades. However, IP is now obsolete for geographic compliance purposes. Not only is IP an inaccurate system — generally affiliated with data centers and not a device's location — but IP addresses can be easily manipulated by various cheap, easy-to-obtain and widely promoted tools, such as VPNs, proxies and fake location apps.

The use of such applications to manipulate IP addresses is hardly a secret. In fact, Binance's plan to service U.S. customers was premised on the belief that U.S. users would naturally gravitate toward using location obfuscation technology to access offshore accounts. 

Decision-making algorithms powered by machine learning are seen as the next frontier for a more nuanced approach to mortgage decisions but skeptics worry this will just be a new way to discriminate.

June 19
New to market-for sale sign.jpg

In many cases, Binance employees didn't even have to explicitly tell their customers to manipulate their IP addresses. According to the SEC's charges, Binance employees were instructed to "[i]nform [the] user that the reason why he/she can't use our www.binance.com is because his/her IP is detected as US IP; if user doesn't get the hint, indicate that IP is the sole reason why he/she can't use .com." If Binance's "hints" were not enough, a simple Google search for "How to access Binance.com from U.S." will give you numerous VPN recommendations. 

Given the allegations laid out in the SEC's legal action, it's clear that the SEC views IP location controls as inadequate for geofencing (the act of placing digital barriers around a restricted jurisdiction) and that any platform relying on such controls may be opening up their platform — wittingly or unwittingly — to unauthorized users. For that matter, any financial services platform looking to accommodate divergent regional regulations will attract similar scrutiny by continuing such an approach. It would be surprising for U.S. regulators to allow this practice to continue. 

Anonymizing geolocation technology — incorporating diverse data sources such as Wi-Fi routers, cell towers and GPS — can determine a device's true location and close the loopholes in IP address compliance programs. Furthermore, aggregating multiple geographic data points enables compliance officers to determine if any one data point has been manipulated, thus providing additional confidence in the integrity of the end user. Ultimately, this allows companies to comply with jurisdictional restrictions and determine user intent while preserving privacy. 

Not only does location obfuscation create serious problems for market regulators, but the ability to disguise one's location online facilitates all sorts of nefarious activity that harms Americans, ranging from sanctions evasion to money laundering to drug trafficking. After all, the last thing a bad actor will want to do is lead law enforcement to their front door.

While the digital revolution has enabled fintech platforms to conduct business with unprecedented global reach, it has introduced new challenges to compliance systems. The lack of more explicit geolocation rules and standards in crypto — and across financial services more broadly — creates enormous compliance issues.

An IP address-based compliance architecture for our new digital financial system won't cut it. Regulators must explicitly prescribe standards for modernizing geolocation processes. Simultaneously, compliance executives need to take a fresh inward look at how they can improve their own procedures knowing these facts. Until this happens, the United States will continue to foster a financial system that puts compliant platforms at a disadvantage.

For reprint and licensing requests for this article, click here.
Digital banking Digital payments Regulation and compliance Fintech Cryptocurrency
MORE FROM AMERICAN BANKER