The Financial Action Task Force (FATF) has recognized geolocation data as an important part of digital identity and KYC verification for virtual asset service providers (VASPs) – like cryptocurrency exchanges. Given today’s money laundering and terrorist-financing threats, FATF’s crypto recommendations are both needed and timely.
In both the original and updated draft of its “Guidance for a Risk-Based Approach to Virtual Assets and VASPs,” FATF encouraged VASPs to use geolocation data and other readily available information to help:
- Verify a customer’s identity during onboarding
- Authenticate customers for accessing accounts
- Determine the customer’s business and risk profile
- Conduct ongoing due diligence
- Mitigate money laundering and terrorist-financing risks
In its 2020 “Guidance on Digital Identity,” FATF recommendations also highlighted geolocation as an example of dynamic, digital customer data sources that enable regulated entities to capture essential authentication information.
In both of these guidances, FATF distinguished IP addresses as a separate identity attribute than geolocation data. This distinction should signal a red flag for VASPs such as crypto exchanges that rely only on IP addresses to verify location.
Here’s why:
Why IP Addresses Alone Are Useless for Location Verification
IP addresses are the easiest location data points to spoof, thanks to VPNs and DNS proxies. In fact, many VPN providers are actively marketing their products to crypto traders as a way to specifically circumvent geographic restrictions.
Mobile IP addresses are even less reliable, because they will always be associated with the location or country where the device was activated. So if a mobile device was purchased and activated in the United States with a U.S. SIM card, its IP address will always show the device as being located in the U.S., regardless of where the device is actually being used.
So a user’s mobile IP address may identify their location as Hong Kong, for example, but they’re actually in the United States. This means the exchange may be subject to U.S. regulations without realizing it.
Improve Crypto Compliance with Multi-Source Geolocation Data
In the fight against terrorist financing and money laundering, FATF clearly indicates that no single data type is sufficiently trustworthy for identity verification and authentication. Similarly, in terms of accuracy and integrity, multi-source geolocation data (e.g., Wi-Fi, GPS, GSM/cell tower triangulation, HTML5, etc.) is critical, as the graphic below illustrates:
By aggregating these multiple data points – and verifying them for authenticity – crypto exchanges can more accurately pinpoint a trader’s true location. This data can be easily integrated into an exchange’s underwriting, onboarding and customer identity verification processes to improve crypto KYC, anti-money laundering (AML) and sanctions compliance.
Global regulators are tightening up their KYC/AML requirements, and exchanges are feeling the pinch of the new restrictions. For example, the South Korean arm of crypto exchange OKEx said it’s closing in part due to the country’s strict new AML rules.
In the face of this increasing regulatory risk, crypto exchanges would do well to follow FATF’s recommendation for KYC and AML compliance, and use geolocation data to strengthen their identity verification and authentication processes.
Compliance is more than a checklist – it’s a commitment! Learn how you can raise the bar on sanctions and AML compliance in our white paper.