cryptocurrencies

Japan Regulators Face Scrutiny After Second Major Crypto Heist

Coincheck headquarters in Tokyo. Photographer: Akio Kon/Bloomberg

The second major theft of virtual currency in Japan is spurring lawmakers and the industry to question the ability of the country’s regulators to oversee the fast-and-loose tendencies of the crypto-trading world.

As the heist of almost $500 million in digital tokens from Tokyo-based exchange Coincheck reverberates through virtual currency markets, Japan’s eight-month-old law regulating Bitcoin and other cryptocurrencies, and the Financial Services Agency tasked with enforcing it, are coming under scrutiny.

“The government must take proper responsibility,” said Yukio Edano, head of the Constitutional Democratic Party of Japan, an opposition party.

The disappearance of about $470 million worth of Bitcoins from Mt. Gox in 2014 prompted lawmakers to enact new policies, which were passed into law in April. The rules made it easier for cryptocurrencies to be used in retailing and also spelled out how gains or losses from trading in them would be taxed. It’s now becoming evident that lawmakers may have made a critical mistake, when it comes to the exchanges: they let the industry come up with its own rules.

“Every hack that happens sets the whole industry back six months,” said Jared Polites, a former FBI securities fraud analyst, who is now a crypto currency marketing consultant. “Something’s got to be done. Crypto enthusiasts are all about decentralization but people also don’t want this.”

The FSA raided Coincheck’s offices early on Friday. The inspection was conducted to ensure security for users, Finance Minister Taro Aso said.

Technically, Coincheck wasn’t supposed to be operating, because it wasn’t licensed. Yet the startup was able to accept and disburse customer funds, buying and selling cryptocurrencies, even while its application was pending with the FSA, thanks to a provision that allowed pre-existing exchanges to keep functioning while they were being reviewed. There are 16 registered exchanges, while 15 others have been allowed to operate pending formal approval, according to the FSA.

Satsuki Katayama, a lawmaker for the ruling Liberal Democratic Party, said that this is the “first incident for the FSA and they probably don’t know how strictly to enforce regulations.”

Asked whether there were problems in how the FSA oversaw Coincheck, one agency official said there may be issues with the application and approval process. While there are exchanges that have gone through a stringent approval process, those operating on a provisional basis can still market themselves without investing in people or security, the official said.

A week ago, an unidentified thief gained access to Coincheck’s system and stole 523 million coins tied to the NEM blockchain project, which were trading at about 94 U.S. cents at the time of the hack. Coincheck said it would use its own capital to reimburse those who lost money. The FSA and Tokyo Metropolitan Police are now gathering their own information.

“Government is going to have to intervene with private companies, but it will be a fine balance,” Polites said.

Many governments are struggling to come up with rules to oversee Bitcoin and other cryptocurrencies. China has taken a tough stance, banning trading in virtual currencies and all initial coin offerings. In December, South Korea threatened to shut down cryptocurrency exchanges, triggering double-digit selloffs in Bitcoin and other cryptocurrencies. Japan has taken the middle path, allowing most operations to continue while enacting the new regulations in April.

Shifting regulations have fueled uncertainty among speculators across the globe, who are trying to determine when or how market watchdogs may rein in an industry that’s decentralized and derives much of its value from anonymous ownership. As a result, exchanges have been migrating to places with more relaxed or clearer regulations.

“Private security companies and the exchanges themselves may currently be ahead of the government in terms of cryptocurrency security, but this dynamic can’t exist forever in order for this asset class to progress,” said Michael Moro, chief executive officer of investment firm Genesis Global Trading.

Mineyuki Fukuda, who designed Japan’s cryptocurrency laws when he was a lawmaker for the ruling LDP, said more regulations aren’t the answer because they might stunt the development of a new financial technology industry.

“The FSA was doing its job; it’s not their fault,” Fukuda said in an interview. “So if they tie our hands with regulations again, it’ll be a real pity for these new businesses and technologies to come to an end.”

Part of the problem is that regulators were focused on issues such as fraud and taxation, without thinking through security risks that lead to incidents such as Mt. Gox and Coincheck. While specific security measures aren’t mandated, they are widely available. In the case of Coincheck, the exchange failed to implement two-factor authentication and stored coins in a “hot wallet” connected to a network, instead of a “cold wallet” that’s disconnected and more secure.

Asked about the Coincheck theft, opposition Democratic Party leader Kouhei Ohtsuka said: “They did not put together appropriate guidance or regulation making it compulsory to isolate the management of crypto-currency data from external networks.”

This week, the FSA ordered Coincheck to submit a report by Feb. 13 outlining the root causes of the debacle and its response to customers, along with how it intends to enhance risk management and internal controls.

Fukuda said that what the FSA needs is more resources: “The FSA has never been tasked with developing out an industry like fintech. It’s good that they’re trying, but they need more manpower. Not for the sake of regulating harder, but for the sake of being able to develop it better.”

— With assistance by Jason Clenfield, Yuji Nakamura, Emi Nobuhiro, and Isabel Reynolds

    Before it's here, it's on the Bloomberg Terminal. LEARN MORE