Binance and the Trojan Horse
The criminal prosecution of Binance highlights the integral but little understood role of nested accounts in facilitating financial crime
Imagine, for a moment, that you are a criminal specializing in ransomware. After infiltrating the network of a local hospital and encrypting its patient data, you have convinced its managers to pay a ransom for its return. As the hacking type, you naturally require the ransom to be paid in cryptocurrency. Now all that’s left is to launder the money. Your plan is to take the cryptocurrency to an exchange, where you can engage in bogus transactions to disguise its origin and, even better, disperse the funds to various wallets.1 But setting up an account at the exchange is risky; they might start asking all sorts of annoying questions about where the money came from. Luckily, a convenient solution exists, one that allows you to transact on the exchange without actually signing up: the nested account.
Nested accounts are most often associated with correspondent banking. This refers, in simplified terms, to arrangements in which banks provide services for one another’s clients.2 Say, for instance, that you run a company in Canada and need to make a payment to a supplier in Singapore. Your local Canadian bank may have a correspondent banking relationship with its Singaporean counterpart to make such cross-border transactions happen.
But perhaps your local bank does not have such correspondent banking relationships, because it is small and more focused on sponsoring local hockey tournaments. In this case, it can enter into an arrangement with another Canadian bank that does. This is referred to as “nested” correspondent banking.3 The customer does business with Bank A, which has an arrangement with Bank B, which, in turn, has a correspondent banking relationship with foreign Bank C. Through these connections, one can access the services of other banks without being a direct customer.
Nested accounts are not, however, limited to banking. They are also commonly offered by brokerages. One example is Direct Market Access, or DMA, a service in which brokerages allow their clients to participate on exchanges or other trading venues through their accounts. Like correspondent banking, DMA allows clients to access the services of trading venues without being their direct customers. This practice has been copied in the cryptocurrency world, where certain firms facilitate access to third-party exchanges for their clients. Nesting is, in sum, the underground plumbing of international finance, allowing funds to flow across borders through complex networks of intermediary relationships.
Nested Accounts as Trojan Horses
But there is great risk in serving nested accounts. Financial institutions may not fully understand who these third-party clients are, let alone their motivations to access their services indirectly. And, for market operators, the anonymity afforded by nested services may embolden users to engage in manipulative activity.4 Nested accounts can, in other words, serve as trojan horses for financial crime.
These are well understood problems in compliance circles. Most countries with major financial centers have established regulatory requirements specific to correspondent banking. America’s subtly-named PATRIOT Act, for example, requires that financial institutions apply enhanced due diligence on correspondent accounts.5 One or two banks, OK maybe more than a few, have struggled with these requirements. The struggle has been so real, in fact, that many banks have decided to simply cut back their correspondent services.6
Securities regulators have also noted the risks presented by DMA and penalized brokerages for failing to monitor how their clients behave on trading venues.7 In 2019, for example, Credit Suisse (may its memory be a blessing) was fined for precisely such an oversight. Over the course of about three years, Credit Suisse clients engaged in more than 300 billion orders via its DMA services.8 It did not, however, have any systems in place to monitor whether those clients were engaging in manipulative activity. The Swiss bank had, in essence, gone to the public park and let all of its dogs off the leash.
Therefore, when it was announced that Binance, the world’s largest cryptocurrency exchange, had admitted to various financial crimes and agreed to pay over $4 billion in regulatory fines, it was no surprise that nested accounts were involved.
Binance and the Hornets Nest
In December 2021, the Binance Academy posted a public warning against using nested “exchanges." The warning noted that these firms, which are essentially just brokerages facilitating customer transactions on actual exchanges, perform little to no due diligence and have been associated with illegal activity. They specifically reference the case of Suex OTC, a Moscow-based ‘exchange’ sanctioned by the US Treasury Department for facilitating transactions for ransomware actors.9
Less than two years later, Binance has been criminally prosecuted for, among other things, dealing with…Suex.10 Ouch. This was facilitated through nested accounts that Suex had established on Binance prior to being sanctioned. Binance advertised to its commercial clients that they could open up to 1,000 sub-accounts with no annoying requirements to verify those users. For brokers, there was no limit. Binance had, in other words, opened the flood gates to bad actors to operate on the exchange through nested accounts with little oversight.
There was even a way to get around the weak Know-your-customer, or KYC, requirements in place for direct clients. If you only conducted daily withdrawals of up to two bitcoin (equivalent to about $130,000 at its height), Binance considered you a “No-KYC” client. Zero due diligence was performed on such customers, despite that they would be allowed, at the peak of Bitcoin’s price, to withdraw a little over $47 million per year. You just needed one thing: an email address.
If $130,000 per day was insufficient, you could, of course, just set up lots of accounts and perform various transactions under two Bitcoin. This was precisely the strategy of BestMixer, a crypto money laundering specialist service eventually seized by Dutch authorities in cooperation with Europol.11 But if you were a ‘VIP’ client, Binance could even help you with that. Specifically, Binance established a process for tipping off its VIPs if they were under investigation by authorities. Customer service!
Intermediation and the Future of Detection
Despite these blatant failures, US authorities have not sought to prevent Binance from serving nested accounts entirely. FinCEN, a department of the US Treasury dedicated to preventing financial crime, notes in its consent order, “Binance agreed to cease the practice of opening anonymous sub-accounts…”12 What Treasury really wants, in other words, is for Binance to establish more robust Anti-Money Laundering controls surrounding such accounts so that it has a better idea of who it is serving. This will undoubtedly be a major focus of the assigned corporate monitor.13
Lost in all of this are tremendous ironies. Cryptocurrencies were invented to eliminate intermediaries. Nested accounts would not be necessary in an idealist crypto world in which individual users transact directly via the blockchain. The intermediation of crypto has, as Henry Farrell and Abraham Newman note in a recent op-ed for the Wall Street Journal, rendered it more easily regulated.
But there is another irony specific to financial crime. Namely, the intermediation of crypto will likely make it harder to identify criminal activity. Blockchains are immutable records and thus can be used to trace the movement of digital currencies. Adding intermediaries does not change this fact. But with every additional layer of brokers and exchanges, each tied together through complex chain links of nested accounts, opportunities for obfuscation grow.
Further, being regulated is not the same as being compliant. Regulators may be able to subject cryptocurrency intermediaries to existing rules, including expectations that such firms monitor for suspicious activity on behalf of the state. But it does not guarantee they will perform that task effectively. To the contrary, the history of traditional finance has taught us again and again that private firms have little interest in policing their own clients. Thus, intermediation risks creating spider-like networks of firms with perverse incentives to look the other way. It will be the investigators - not the criminals - that get stuck in the cobwebs.
Disclosure: As of November 26, 2023, I own less than $100 in individual total value of the following cryptocurrencies: Bitcoin, Ethereum, Stellar Lumens, Fetch.ai, Compound, The Graph, and Amp.
Bart Custers, Jan-Jaap Oerlemans, and Ronald Pool provide a helpful overview of this process in “Laundering the Profits of Ransomware: Money Laundering Methods for Vouchers and Cryptocurrencies”
For non-simplified terms, see the Bank for International Settlements’ report on Correspondent Banking.
The Federal Financial Institutions Examination Council's (FFIEC) Bank Secrecy Act manual phrases it as: “A foreign bank that has a correspondent account at a U.S. bank may make the account services available to other foreign banks that are the foreign (respondent) bank’s customers. By doing so, the foreign bank is in effect serving as a conduit through which the correspondent banking services of the U.S. bank are being provided.”
The level of anonymity depends on the details of the services and the nature of the trading venues on which users operate. This anonymity may be higher on so-called ‘dark pools’ that purposefully mask the true identifies of counterparties.
Covered in detail, for example, in Julia C. Morse’s The Bankers' Blacklist.
FINRA order. The order weirdly refers to executing over 300 billion “shares.” I assume they mean executing orders to buy and sell shares.
Treasury’s press release.
FinCEN consent order.
Europol’s announcement.
FinCEN consent order, page 37, emphasis added.
When financial institutions face criminal charges in the US, they can be offered a Deferred Prosecution Agreement, or DPA. Normally the DPA requires that the institution make certain improvements to their compliance controls over a set period of time in return for avoiding charges or outcomes. Prosecutors will then force companies to foot the bill for a corporate monitor, a third-party (usually a former prosecutor supported by teams of lawyers and consultants) who reports on whether improvements are actually occurring. Similar processes exist in other jurisdictions (e.g., in the UK where it’s referred to as a Section 166 Skilled Person Review).