Mark Paolillo is a founding partner and the CRO and CCO at Byte Federal. Mark recently spoke at the MTRA (Money Transmitter Regulators Association) 2024 Annual Conference. Below is a transcript of his speech in full.
Good morning everyone, my name is Mark Paolillo. I have worked in the public sector as a certified Public Accountant for 30 years.
Today, I leverage my experience towards a new passion as the Chief Financial Officer and Chief Compliance Officer of Byte Federal. We are a Bitcoin kiosk operator. We have about 50 employees and perform the majority of our operations in-house. We are Bitcoin enthusiasts. We believe in the utility of Bitcoin and have founded our company to meet the needs of this emerging market.
84% of all potential customers aged 60 and older never make it past our validation process. Today, I will show you why.
We hope that by sharing our procedures and experience from an industry perspective, together we can have a better understanding of the industry, and the efforts we take to combat scams.
Overview:
We will delve deeper into compliance: How we operate as an MSB registered with FinCEN and the customer requirements that entails.
We’ll look into customer support: How a proactive approach in customer service can protect consumers.
We’ll also detail our enhanced screening and validation procedures: We like to envision these strategies as good gatekeeper techniques which may slow and ultimately deter a fraudulent transaction from occurring.
Regulatory Perspective:
We begin with a quote from former FBI agent Vincent D’Agostino.
Vincent says, “There is still regulatory confusion around cryptocurrency. Companies in this sector need to push regulators to better understand the space before passing arbitrary regulations that have the ultimate effect of suffocating a fast-growing industry.”
He added that while he was at the FBI, he noticed “a lot of well-meaning but highly misinformed individuals within all government organizations.”
D’Agostino said that many of his colleagues were interested in Bitcoin yet many have been quick to label emerging technologies as “good” or “bad.”
He says, “Once those tags are assigned, it becomes difficult to change perceptions.”
This is our purpose for being here. We want to be an industry resource that regulators can collaborate with.
In our home state of Florida, our collaborative efforts helped draft legislation which targets procedures for combating fraud.
KYC/CDD Tiers:
Here are the KYC/CDD tiers we employ. We believe in prioritizing risk mitigation. Fraudulent transactions are one of those risks. To best combat these challenges, we’ve adopted a KYC policy which requires the same level of scrutiny regardless of transaction size.
Every customer at our kiosks are required to provide their full name, address, phone number, date of birth, government issued photo ID (front & back), a selfie, source of funds, use of funds, and their crypto wallet address. The wallet address is automatically screened against the chain abuse.com database to determine if it has been used in a previously reported transaction.
In addition, this information is forwarded to an independent third-party that provides us with the customer’s SSN and a percentage of likelihood that the customer is who they say they are.
Capturing this data is vital to assisting our compliance department and aids in any required FinCEN reporting.
Scam Deterrents:
We have an ever-expanding variety of scam deterrents in place.
These measures include automated scam deterrent text messages sent to all customers, detailed lists of common scams that must be viewed on screen and cannot be bypassed, and an additional screen for new customers that presents common scams in an alternative format, which also cannot be skipped.
And crucially, we have mandated support calls for individuals aged 60 or older to complete registration. They are not capable of transacting until they have spoken firsthand with our support staff.
Our support team is trained to discuss common scam techniques with customers and ask varying questions to help determine if the customer may be facilitating a scam.
Scam Prevention:
Here are some of the scam prevention techniques we employ on the kiosks.
If a customer answers yes to common scam questions or no to, “if this is your personal phone number?”, they are met with an intense graphic displaying “YOU ARE GETTING SCAMMED.”
We also move the yes/no buttons around the screen from time to time to make them actively try to find the correct answer.
Many of these pages cannot be bypassed and must be read and acknowledged before proceeding.
Customer Support:
Our support team tracks the type of scams being prevented and reported.
As you can see, there are many different types of scam categories which are very common across the entire financial services industry.
When our support team has suspicion of fraud or a customer calls in to report being a potential victim, we preemptively inactivate those customers which prevents them from initiating any further transactions.
Our validation procedures are the critical gatekeeping techniques we employ to slow, deter and screen against potential fraud.
In the table shown above are the percentages of customers that were validated as of July 2024.
As you can see, we have declined 27% of those potential customers due to a strong suspicion of fraudulent activity. An additional 57% were unable to be validated due to being unresponsive or failure to provide KYC information. This equates to the 84% of all customers aged 60 or older who never make a transaction.
We know the validation procedure alone has deterred scammers and given potential victims additional time to reconsider.
This has resulted in a total of only 16% of all potential customers aged 60 or older being approved to transact.
These numbers demonstrate the effectiveness of our validation procedures for vulnerable customers. We also believe that the majority of these customers will no longer fall victim to these scams in the future.
An important aspect of scams are timeliness: how fast the scammer can receive their money.
These gatekeeping techniques effectively pause and significantly slow down the time it would take to conduct a scam.
Support:
Here are some examples of our support calls.
The common theme is that our support team had suspected fraudulent activity, compiled as much information as possible to provide to the compliance department, and blocked registrations.
Collecting important information such as the scammer’s phone number, email address, and detailing the steps they took to orchestrate the scam.
All of this information is extremely helpful to compliance and to law enforcement.
*** Now, let’s listen to a real-life recorded support call, keeping in mind that the representative was relatively new at the time. ***
This call made me really proud of our customer support.
His thoughtfulness and friendly demeanor helped navigate a potential victim out of being scammed and possibly never to fall for a scam again, or at least, strengthen their awareness.
This person had spoken to their bank and already personally taken out the cash from a live bank teller. It was our efforts to validate which alerted them to the scam.
As you heard, the customer asked what he should do with the money he withdrew from the bank. We advised him to return it to the bank.
Compliance:
Here we have examples of how our compliance procedures interact with transaction limits with California as a reference.
When drafting legislation, it is important to consider the reporting thresholds set by FinCEN—$2… $3… and $10,000 as the primary benchmarks. For example, California’s $1,000 daily transaction limit has effectively eliminated the ability to review activity for CTRs and potential SARs, as transactions cannot meet the reporting threshold or indicate structuring behavior. This significantly hinders law enforcement’s ability to track and prosecute bad actors.
Based on the feedback we have received, our customers have reported accessing other kiosk operators in order to circumvent the daily purchase limit. This practice prevents us from having visibility into their full transaction activity, complicating compliance efforts and potentially increasing the risk of undetected suspicious activity.
We urge regulators to consider the unintended consequences of these daily limits and the significant impact they have on our ability to fulfill our compliance responsibilities effectively.
Conclusion:
As we navigate the regulatory waters of this emerging industry together, open and honest communication is essential to supporting effective regulatory leadership.
During our experience, we’ve found great value and comfort in discussing these complex issues with regulators.
It’s often a familiar face and a genuine conversation that helps bridge the gap between the rigid lines of statutes, corporate business plans, and the challenges of regulatory red tape.
Most recently, it was conversations with a law enforcement agency in Georgia that led to further innovation. This detective picked up the phone and called us directly. He detailed the steps taken to orchestrate a new type of scam. That involved the scammer attempting to register at our kiosk and instructing potential victims to use the registration information to send funds. In this case, the bad actor creates a near perfect counterfeit ID utilizing the victim’s ID and AI to alter the photo image to match the bad actor.
To combat this new technique, we have implemented an additional screening layer for all transactions which will present the photo ID used for registration. They will be faced with a screen that shows the image of the registration document and requires them to answer, “Is this you?” If the answer is no, the transaction is halted and the customer is locked out.
We hope this acts as a strong deterrent by providing a face for the scammer. Is this who you’ve really been talking to? Do you still want to conduct a transaction? Because of this direct communication with law enforcement, they were able to apprehend the bad actor and make attempts for restitution.
The scams affecting our industry are the same common scams that plague banking, payment services, and other financial sectors daily. These are not new or unique challenges; they are well-established problems across the entire financial services landscape.
When legislatures pass arbitrary regulations such as percentage fee caps, this does nothing to address fraudulent activity. Rather, this has a detrimental effect on industry participants as well as stifling innovation.
One has to assume that the motive for such a law is simply to eliminate the industry and not eliminate the scam.
We want to be a resource and partner in this process. If we can assist further—by providing an educational overview of virtual currency technology and our compliance measures, or by offering industry insights—please don’t hesitate to reach out. In fact, we encourage it!
We are here to support you in any way we can as we work together to ensure the safe and responsible growth of our industry.
