Coincheck Hack & Australian Crypto Regulation: What You Need to Know

New risk rules for cryptocurrency exchanges will be put to the test with the latest hack on Japanese exchange Coincheck. Hackers stole US$660 million worth of NEM (its native cryptocurrency).

In the past eight years, more than a third of all cryptocurrency exchanges have been hacked. The total losses exceed US$1 billion. Because cryptocurrencies are almost untraceable, the rate of recovery after a hack is very low.

A number of countries (including Australia) have enacted legislative provisions to regulate the conduct of cryptocurrency exchanges. Regulators hope these will reduce the risk of attack and make operators more accountable for losses suffered by customers when an attack does occur.

Complying with AUSTRAC’s new regulations will be expensive for exchanges. With Australia’s new data breach notification laws coming into effect next month, gathering and securing sensitive information about customers and their deposits will be more onerous than ever.

The problem that faces regulators and investors is that the cost of compliance acts as a deterrent to registration. And because registration requires compliance, exchanges need to outlay significant capital before they start to trade. The sheer size of Coincheck’s losses indicates it was a high-volume exchange and yet, at the time of the hack, its registration was still pending.

Traditionally, when a foreign exchange collapses and is unable to return customers’ deposits, the regulator might prosecute the directors for operating without a licence, failure to comply with financial services regulations, or for insolvent trading. Insolvent trading, for example, attracts both civil and criminal sanctions.

When a cryptocurrency exchange is hacked, the operators and their customers are all victims, but the operators will be made liable for those losses. Under Australia’s current laws, a major hack of a cryptocurrency exchange will be met with similar challenges as those facing the Japanese authorities in the wake of the Coincheck theft.

Any investigation of an exchange could involve the Australian Securities and Investments Commission (ASIC), the Australian Taxation Office (ATO) and AUSTRAC. The level of scrutiny that would follow, could reveal a multitude of sins, including some that are unrelated to the hack.

For example, ASIC has the power to prosecute for insolvent trading, operating a Ponzi Scheme and breaches of financial services legislation. The ATO could investigate whether GST was being paid on trades.

Frustratingly for the customers and investors, seeing the operators punished does not reimburse them for their financial losses. Repaying deposits after a hack depends on whether the operators remain in the jurisdiction and have any funds of their own.