The most common question I've heard from clients over the last five years of working with the crypto industry in Canada is: “How does my company get a bank account?”

One of the reasons why it's so hard to get a bank account for a cryptocurrency-related company is the prevalence in Canada of stolen payment credentials (debit/credit card information). Most people who I ask about this crime says it's happened to them. In a study by Canada's Chartered Professional Accountants, approximately 1/3 of Canadians said they'd been a victim of this crime. The rest of this blog post will explain how this commonplace crime is connected to the difficulties that companies have had in opening business bank accounts in the virtual currency (cryptocurrency) space.

Canadian banks, as a rule, will not open bank accounts for companies engaged in the business of dealing in virtual currencies. Every business bank account in Canada is now checked for whether it has anything to do with virtual currency (through upfront questions at the branch and back office review later). I've personally seen it on the list of standard questions that are asked for opening an account. This is an astonishing level of attention from banks, given how small the crypto/blockchain industry is. Many in the community see this in a conspiratorial light (e.g. that banks view crypto as competition) but the actual explanation is more prosaic.

Companies that engage in virtual currency dealing (buying and selling cryptocurrency) have high rates of fraudulent transactions. The actual numbers are only known to the companies involved and their banks, but the rates are surely higher than for general business bank accounts. In most cases it's the company that is the victim of criminals who have used stolen payment credentials to purchase cryptocurrencies. They do this because cryptocurrencies are irreversible, unlike most other kinds of payments, and are an almost ideal method for criminals who are "cashing out" payment credentials. There are even online marketplaces where thieves sell these credentials to other criminals.

Criminals use stolen credentials to purchase cryptocurrencies (and gift cards plus every other means of converting credentials into cash or near cash). At a later date the actual owner of the account reports the transaction as fraudulent. The bank will inevitably side with the buyer (the real person who's credentials were used, not the criminals). The company (seller of the cryptocurrency) is then out their cryptocurrency and may also have to pay an administrative charge for credit cards. Furthermore, the seller may lose their account with the bank if it's reported to them (since banks deem them high risk if there are fraud reports, whoever is to blame) or have to pay lawyers to help them with the situation. The fraud rates with credit cards are so high that companies that handle this for cryptocurrencies charge 5% or more. As another data point: Canadian cryptocurrency exchange Coinsquare charges 10% for credit card purchases.

Although anti-fraud is every company's responsibility, stolen payment credentials are enabled by lax security standards which permit thieves to easily steal debit and credit card information. The blame for this lies squarely on the people who provide the systems that power electronic payments in Canada (which involves many players - more than just banks) but the costs are often borne by others. In the cryptocurrency context, the cost of this fraud is largely borne by the sellers and leads banks to view the sector (accurately) as high risk.

The cost of country-wide financial credential insecurity shows up as a problem for sellers of cryptocurrencies, and ultimately a problem for those who would like to open bank accounts that relate to buying or selling virtual currencies. The overall story of why crypto banking is so difficult in Canada is larger than just the payment credential problem but it's a key factor in explaining why banks don't want to deal with these kinds of accounts. As the Canadian banking system becomes more secure through initiatives by the card networks (see VISA's report about improving security in Canada) and banks I expect that this issue will lessen but it'll be a long time before this crime becomes rare enough that it stops being an issue for merchants of all stripes, including cryptocurrency vendors.

Anti-Fraud Footnote

One of the most effective means of stopping criminals from using stolen payment credentials is collecting identity documents (e.g. passport images). This helps to ensure that the person presenting the credentials is the same as the person who owns the payment source (debit/credit card). Unfortunately this can create a new risk for customers because the company now has a source of data that is also attractive to criminals (who are constantly looking for ways to defeat anti-fraud systems so that they can cash out credentials). In the event of the hacking or failure of a virtual currency company (e.g. restructuring of QuadrigaCX) users are left wondering what happens to their identifying information. Ironically, this means that the best solution to the problem of stolen payment credentials can itself create problems for people by enabling further misuse of their identity.