Coincheck exchange leak exposes chinks in Japan’s regulatory armor

31 January 2018 6:51am

29 January 2018. By Toko Sekiguchi.

The biggest cryptocurrency leak in Japanese history, announced at midnight on Friday, has underscored the difficulty regulators face in striking the precarious balance between overseeing an industry that thrives on innovation while also protecting consumers against fraud and security lapses.

Japan’s Financial Services Agency today issued a compliance order against Tokyo-based cryptocurrency exchange Coincheck, after the company announced late on Friday that it had lost 58 billion yen ($534 million) worth of NEM coins, a virtual currency. It also mandated all existing crypto exchanges to review their security in advance of urgent FSA inspections.

Although the FSA’s swift action — the order came on Monday morning — was made possible by Japan’s legalization of cryptocurrencies, putting exchanges under the jurisdiction of Japan’s powerful financial watchdog, it has also called into question the effectiveness of the FSA’s vetting process.

Coincheck’s chief operating officer, Yusuke Otsuka, said on Friday that the NEM coins stolen had been managed in a “hot wallet” — connected to the Internet, as opposed to an offline “cold wallet” — and lacked a multi-signature control system that would have required multiple sign-offs for added security.

Otsuka acknowledged that the company had failed to take those security measures, which are recommended by the FSA, and said the illicit transfer, which occurred at around 3am Friday and which was detected around noon, had affected around 260,000 account holders.

Coincheck has since then announced that it will use its own funds to compensate those affected, returning the lost funds in yen at a the average value of NEM coins between the time it suspended NEM trading on Friday and Monday’s refund announcement. The company has yet to report whether it holds enough cash for the reimbursement, the FSA said.

The financial regulator said that it chose a compliance order over the more severe penalty of suspension with Coincheck’s customers in mind. A suspension would delay the payout to those affected customers, MLex understands.

However, Japan’s largest cryptocurrency leak — even in comparison to that of the 2014 Mt. Gox scandal, which triggered the regulatory control of virtual money — raises questions over the adequacy of the FSA’s oversight.

That’s because Coincheck, Japan’s biggest Bitcoin exchange by volume, exists in a legal gray zone. After the implementation of Japan’s new funds settlement law, which legalized cryptocurrencies in April 2017, the law allowed pre-existing currency exchanges six months to register with the regulator. When the deadline fell at the end of September, the FSA had yet to certify all those exchanges that had applied (see here).

In order to prevent massive disruptions, exchanges still awaiting FSA approval were allowed to continue operations. Currently, in addition to the 16 FSA-certified exchanges, another 16 are still awaiting approval.  Coincheck is one of them.

Moreover, the FSA has never turned down any applications for approval. A dozen operators had voluntarily shut up shop rather than submit applications by the end of September, MLex was told.

The FSA insists that Japan is leading the world when it comes to the oversight of cryptocurrency operators, while neither endorsing nor opposing blockchain-based currency itself. However, the fact that an operator the FSA had yet to approve had not only grown into one of the country’s biggest exchanges, but also found major security holes exploited even as it widely advertised itself on television, is likely to call attention to Japan’s prized regulatory systems.

The FSA maintained on Monday that it was acting based on the law already on the books, and that it had no plans to change its position. The agency declined to comment on whether Coincheck’s massive leak would affect its approvals process. It did say, however, that the vetting process included checks on companies’ measures against money laundering, cybersecurity threats and security systems.

Andrea Jelinek