Originally titled "Centralized Finance: Future of Freedom of Expression", but I decided that was perhaps a little too politically charged, and just boring enough to not click and read about this serious flaw in how our global payment networks currently operate. I have also significantly altered the article from the original. Enjoy!
This post, and really what guided me to build what I'm working on right now (spoiler: a decentralized payment network), was sparked by something that I experienced between 2018-2020 after graduation of gymnasiet (essentially high school, but a bit higher level in Denmark). During my time in school, I had kept in contact with a good friend of mine from middle-school, another self-taught software engineer (who's now gone on to do great things), and we both decided we needed a break from schooling, but had shared passion for cryptocurrency for many years. At the time, the interest mostly came from it's technical persuasion and occasional punts based on predictable events such as halvenings or new methods of decentralized consensus being discovered (this was back when Hedera's Hashgraph (what a fiasco) was still experimental and Casper, now Ethereums PoS was highly theoretical), but then we realized that all modern monetary transfer protocols (such as SWIFT) are just information sharing standards, so we saw potential in this relatively new technology, and pretty quickly, we decided that more people needed access to it.
A somber-looking, freshly graduated Frederik wearing a Danish graduation cap (yes they really
look like that. Mine is black because I took voluntary extra chemistry classes, it's an odd system.).
So, with a shared passion for decentralized currency, a graduation diploma in hand, and a mission to lessen the barrier-to-entry for ordinary people in Scandinavia to get into cryptocurrency, we started our company. Ecstatic to even get the papers filed, we celebrated the first day, prior to a single line of code being written, not knowing what we had just embarked on.
Coin Nordic was big and complex, mostly due to this being our first 'serious' project, we both had a mentality of perfectionism (one that's hardly gone, for example, the current project I'm a part of builds everything from scratch and self-hosts to ensure data such as mailing lists or submitted questions isn't handed to 3rd parties accidentally). This had to be proof from all vulnerabilities, run smoothly at all times, we weren't building a simple exchange, we were essentially building Coinbase, adapted for Scandinavia, with all the bells and whistles that comes with an institutional grade exchange.
And so it began: microservices, so many microservices, our "Overseer", a system that kept track of all services and would spin up new instances if any of them encountered unexpected issues. A packet router, a packet risk analysis system, and with a starting capital of 50,000 DKK (approximately $7,000), I had somehow managed to network my way into getting a contract with Chainalysis through a distant acquaintance I had at the Danish-founded company Chainalysis, despite their starting contracts required more than our entire operating capital (so thank you Mikkel from Chainalysis).
Except for our automatic compliance systems that was provided by Chainalysis for "KYT" (Know-Your-Transaction), everything was built meticulously from the ground, because time was what we had a lot of, but money and surviving a breach, that was the one thing we couldn't afford. So graphs, all UI elements, every piece of backend code, automatic system to have the optimal ratio at all times in hot wallets and using multi-sig to move assets around. All built from scratch to avoid supply-chain attacks, because, well, we were the supply chain. It was all perfect, obsessively so, and then one day, approximately a year and a half into development, it was time to integrate with a payment processor and a clearing house. And this is when trouble began.
An image collage of what the interface of Coin Nordic looked like back when it was being developed. Thanks to co-founder '████' for reaching out with a higher quality video to provide more images. Excuse the Æ, Ø and Å's but this is an exchanged designed for Scandinavians. (09/06/2020)
Having been reasonably frugal, and living off our own savings, all we had was that aforementioned $7,000 but thankfully I had researched this in advance, and we had done the calculations and even in the worst-case scenario we'd still be profitable shortly after launch. The thing I didn't account for was the cataclysmic scenario. So we needed 3 things:
- A payment service provider (PSP)
- An acquirer (the intermediary that moves the money from a credit card to a bank account)
- A corporate bank account for a retail volume of transactions
The first step was relatively easy, I settled on QuickPay, the most inexpensive PSP I could find in Denmark, and then it was onto the acquirer, we settled on the company Clearhaus which was relatively new back then, a startup in Denmark. This is when we encountered the first strange situation. I emailed them and didn't get a reply after patiently waiting a week, so we had just gotten busy implementing the scaffolding around the integration of the acquirer in our code.
After not hearing from them the week after either, I decide to call them, the lady on the phone tells me Mastercard has unilaterally banned all transactions involving cryptocurrency, bummer, but no issue, we'll just go with a VISA-only package. Impossible she tells me. These companies work in unison, and are sold as a bundle contract.
Okay, well that was a bit of a gut punch, but not to be dissuaded, I continued on thinking we could find another acquirer who might not have gotten the memo or offered other services. Meanwhile, I figured we could find a bank, that should be relatively simple, my naïve mind thought in 2018. So I call up my personal bank, and again, they don't do business involving cryptocurrency. Weird.
But again, we move forward, looking for alternatives, and to make a long story short, I'm sitting with a spreadsheet of approximately 400 banks throughout Europe, and just started from the top of the list and went down, many of them giving an outright no, and some saying they'd have to take it up with their supervisor, and then e-mailed us a longer version of a no.
Except one bank in Lithuania, it charged 4.5% of your balance monthly, this would crush our margins and make it an unprofitable business as we had already tried to aim for a 0.3% profit per transaction. It was imperative that our account wasn't being drained 4.5% per month from banking fees alone, otherwise we wouldn't be able to accommodate payouts from sales, effectively rendering the business immediately insolvent.
At this point, it was looking pretty bleak, I had refocused on the acquirers, I tried contacting NETS, Scandinavia's biggest acquirer, used by the governments of Denmark, Sweden, Norway, Finland and all other northern European countries, and though we had gotten hopeful responses in the beginning, and paid about 10% of our capital to registering an account with them, they ended up getting cold feet, despite being presented with a comprehensive document of diagrams, explanations and KYC/AML considerations to reassure them that everything was above board and thoroughly compliant, but alas their compliance department didn't have the risk tolerance for a project like ours, and so we were faced with yet another: no.
I started writing out e-mails to founders, asking for help, Switzerland and Liechtenstein seemed to be the most accepting countries, but all banks there as well were dead-ends, except one, a founder got back to me and suggested one bank in Liechtenstein: Bank Frick. Excellent, but of course with a small caveat of a 20,000 CHF (approx. $22,200.00 at the time of writing) per month for 'management fees', we wouldn't even be able to make it a week in that bank before going bankrupt. Back to the drawing board.
One day, I called up SAXO Bank, a bank that had gone under my radar initially, they held a banking license and offered corporate accounts, but their focus was mostly on offering complex investment products. I found it odd that this particular bank had escaped me, as it's famously a Danish bank, and the co-founder has now also gone on to found a crypto project. The private banker assigned to us from SAXO was exceptional, and within a week, we had a corporate account with them as well as a corporate credit card. Finally, a win.
But then wouldn't you know it, a few weeks into getting a bank account SAXO sold their private banking division to another Danish company called Alm. Brand which had the standard industry tolerance for cryptocurrency services, and so predictably, our account got terminated after a short while.
At this point, we had come to the realization that this was how the business died, it wasn't technical issues, it wasn't a failure to attract customers, in fact, we had plenty of would-be customers sending me messages on Facebook everyday. This was due to having posted small updates and sneak peeks of the UX/UI of Coin Nordic to two Facebook groups: one for entrepreneurs and one for cryptocurrency enthusiasts, documenting our progress towards a final product, and it was bar none the exchange that offered the most fair quotes for acquiring crypto, as well as easy of use, storage, receival and sending. Everything was taken care of, as previously mentioned, a Scandinavia-adapted Coinbase.
And so with a sense of defeat, I wrote the last update on our progress in the Facebook groups, explaining an abbreviated version of the above.
Then I got an interesting message. A CEO, like, a real CEO of an established company reached out. He was interested in Coin Nordic, and felt he could solve our problems with the banks, as he, and I quote "carried some weight at the bank". We were ecstatic. And so, we talked and took the train to Kolding (one of the business center cities of Denmark), and held meetings after meetings with lawyers present, something that felt completely foreign to us 19-year-olds, selling Coin Nordic in full for equity and a lump sum, as well as a senior position in their company, in a so-called "acqui-hire" (acquisition of the company to hire the employees). It was bittersweet. I was hoping to run a company myself, but money is nice, and so is a job.
Eventually, I got the itch again, and wanted to do something on my own, so I quit my position there on good terms, a few months after I had left, I reached out to the CEO on Facebook to hear if he had better luck with the banks, but evidently not, and Coin Nordic remains a highly complex, large codebase of a fully-working exchange (sans fiat payments and payouts), that rests in the graveyard of other projects that never made it to launch.
But then, I got really interested in analyzing exactly what went wrong — why are payment processors so extremely adverse to accepting cryptocurrency customers? Why are they classified as high-risk transactions, the same category as firearms and weapons?
And so, the research began, strap in — this is gonna get a little technical!
The current rules and the consequences of breaking them
If people get thrown off Twitter, Facebook, Instagram or any other widely used social media service, the eventual response you’re met with is “If you’re not happy with it, just build your own”. I’d like to explain why this is inherently impossible with the current way sites generate revenue. Let’s say I were to start my own competitor to Twitter, and be slightly less stringent with how moderation is done. Advertisers of a certain standard (think: AT&T, Amazon, Samsung, Viacom, etc.) might not want to run advertising campaigns without certain guarantees of what content their ad is served alongside with, but this is not the life or death of any Internet service.
A site can prosper through the goodwill of its users (as can individual creators, for example through Patreon, a crowdfunding site that pays out monthly contributions to creators), or through incentivized memberships that give access to more permissions, however, in order to accept payments that are surmountable for your everyday user (someone with no great technical experience), this hypothetical website needs to be able to process transactions through the four large credit card networks, these are: VISA, Mastercard, American Express and Discover. As mentioned with Coin Nordic, VISA and Mastercard come as a bundle, no matter what.
The Anatomy of a Credit Card Purchase
In order to truly understand the complexities of why the above-mentioned site would be immediately banned from these large four payment networks, as well as PayPal that piggybacks of off them, let me walk you through the (rather elaborate) anatomy of a credit card transaction:
- You choose to pay with a credit card of your choice (likely one of the big four).
- The website, even presenting as if the payment is occurring on their website, will then forward details about this transaction to a Payment Gateway.
- The Payment Gateway will forward the information to a Payment Processor, also known as an Acquirer. With commonly used ones being Stripe, Square or Authorize.net
- The Payment Processor/Acquirer will inform the Acquiring Bank of the transaction.
- The Acquiring Bank needs a partnership with an Automated Clearing House.
- After the Acquiring Bank is notified, the Payment Processor sends the transaction to the Credit Card Network, and then something interesting happens:
- For VISA payments it will query the Visa Merchant Screening Service (VMSS).
- For MasterCards services it will query the MATCH database (Mastercard Alert To Control High-Risk Merchants).
- American Express and Discover will query the MATCH list, also sometimes referred to as the terminated merchant file (TMF), which includes data shared by Visa’s VMSS.
- If your business is found on any of these databases, the payment processor will reject your purchase, essentially null-routing any flow of money to the given business: game over.
- If not, the Credit Card Network will send the transaction to the customers bank, where the bank can choose to deny/accept the transaction, through their set of heuristics.
- After this, the Credit Card Network will send the final result of the transaction status back to the Payment Processor.
- You're then either greeted with a "payment successful" or "payment failed" screen.
All of these entities operate privately, meaning they have their own internal acceptable usage policies, risk management policies and free reign to label anyone as a high-risk merchant, and add them to MATCH, VMSS or the TMF. If we count them out, you have to follow, to the letter, the policies of: the payment gateway, the payment processor, the acquiring bank, the associated clearing house, the rules of four different credit card processors who all exchange information about ‘high-risk merchants’, and can put you on one of the aforementioned blacklists, as well as the whims of the customers bank (for example, some banks on the customers/buyers side will outright deny any transaction related to Coinbase or other cryptocurrency services, as they have their own set of rules).
In total, that is 9 different policies, that has to be followed to the letter, or the services will either refuse to work with you, in the case of Credit Card Networks and Acquiring Banks who has access to append businesses (and individuals) to the blacklist, you will also be banned from ever accepting money from any of the globally accepted payment networks again. By design, these policies are obfuscated, a black box so-to-speak, it makes it impossible to navigate which businesses the banks and payment networks find acceptable.
And so, to this very day, the only onshore Danish crypto exchange (to the best of my knowledge) only accepts direct bank transfers (i.e. no payment via credit cards). This exchange is called Copenhagen Bitcoin, we managed to figure out what bank they had and were informed they had a "special agreement", this can sometime occur if a business is successful and you've been a member of a bank for many years before they find out your activities.
Update: It appears Copenhagen Bitcoin, a provably profitable and prosperous business, closed its doors on the 15th of May 2023, due to "internal and external factors", a good guess as to the external would be an inability to find another banking partner.
The Credit Card Companies Secret Blacklist
Did you know that your business, from one day to another, can be completely barred from accepting payments via the traditional payment networks? It could be a slight change in risk management, it could be a shift in politics, or it could just be at the whims of a risk assessment manager at one of the big four credit card issuers.
It is very important to stress that completely lawful businesses can be added to these lists, for any reason, by credit card companies, acquirers, or their partners who might personally find your business against their interest. If you are a persistent business person, and you’ve been blacklisted from getting accepted into a domestic acquiring bank to collect funds from your store, you might start looking at offshore banks: one problem.
Officially, there’s 14 reasons, ranging from inactivity to fraud, that could get you added to the terminated merchant file, however, reason number 10: “Violation of Standards”, is peculiar, and a deathknell to any esoteric banking solution you might be able to conjure up.
Not even an offshore bank will do business with you if this is the reason you're terminated, and the scope of its application is intentionally vague:
In short: this is the one rule that will bar you from using any bank globally as an acquiring bank, offshore or not, and it can be applied arbitrarily, even if your business is completely lawful. From one day to another, if you sell a completely legal service or product, and the political climate around that product or service changes, you could end up on the terminated merchant file. It’s unfair, it’s unjust, but it is unfortunately the reality we live in, and it’s poorly understood by aspiring business owners — an expensive, business-ending lesson to learn.
Once a business is blacklisted, without due process or fair treatment, they have no legal means of gaining their ability to accept credit cards again. It is impossible to sue to inquire about the reason your business was added to the file in the first place. This is because the Terminated Merchant File, and the criteria for getting added to this list, is considered a trade secret.
It is a flawed, undemocratic system. So, going through all of this, and learning more than any ordinary person should know about payment processors, banks and compliance. I came to the realization that the thing I had set out to broaden access to (cryptocurrency), was the very answer to this arcane, duopolistic unjust system. And so, I spoke with my good friend and cryptographer, Brandon Koerner about this, and explained exactly what I had learned, and with great conviction to right a wrong that has existed for too long, we decided to start a new venture together.
However, creating a privacy-respecting blockchain that implements regulatory-grade (compliant with AML/CTF laws) privacy for transactions and balances comes with its own set of challenges and uphill battles, ones I will discuss in detail in a later piece.
Recently I spoke to the topic of getting a bank account to fund the development of such a complicated financial network to the innovation arm of the New Zealand government, called Callaghan Innovation, you can find my contribution directly on their government website here: https://content.callaghaninnovation.govt.nz/web3 scroll down until you get to the 'Research Paper' section, and then click Debanking and its Implications for Aotearoa New Zealand's Web3 Ecosystem. It's very much worth a read.
In the future I plan to explore how the FATF, through its 'recommendations' (that's a misnomer, they're more akin to direct orders that lands you on a sanctions list if not followed to the letter), essentially is trying to make it impossible to start, maintain or finance a project that doesn't inherently spy on its users and puts the onus of proving a crime on the enforcement agencies rather than a centralized company (such as a bank asking for PSP, or a bank asking for documents to cover their own behind, should authorities come to enforce the almighty word of the FATF).
- The FATF, probably
Even though this article has been mostly critical of the centralized nature of how money moves, and specifically which two bodies has the most influence on the rules of the playground that governs that flow, I don't want there to be any ambiguity. I am very much against laundering, and Discreet is designed with network-level mitigations in mind to combat such nefarious use of the service, but as described earlier, I just believe the way we're currently dealing with the issue is flawed and leads to a lot of grief for financial institutions, as well as small and large businesses (i.e. Patreon having to blacklist a lot of creators who VISA or Mastercard might find against their AUP).
In fact, I attended an ACAMS moneylaundering.com seminar in Auckland, New Zealand. Despite the name, it's not a how-to guide, it's an agency that helps fight and identify trends in how money laundering occurs. It was interesting for the certain subset who likes to deep-dive these oddities that affect us all, but no one really thinks about. A memorable quote I want to you take with you and ponder on came from one of the speakers at that event: "for every dollar transacted, we spend 100$ on stopping money laundering," is that really reasonable? What sort of cost-benefit analyses goes into these proposals from groups like the FATF prior to publication?
Thank you for reading my first published blog post. I've been meaning to get around to this for the longest time, but Discreet has been an intense project to develop and has taken up most of the free time I have, and will continue to do so for the foreseeable future. I will keep you updated on my experience building an alternative borderless payment system, as it's a rather interesting journey, but for now adieu, I'll see you in the next post!
