BARR Advisory recently partnered with Bitcoin ATM vendor Bitaccess to complete SOC 1 and SOC 2 audits. Bitaccess has more than 3,800 Bitcoin Teller Machines (BTMs) around the world, serving more than 350,000 unique customers. With the number of Bitcoin kiosks growing by the minute, we’re diving into the budding crypto industry and sharing some of our key audit takeaways so other companies, like Bitaccess, can better identify gaps.
Before we get started, here are five quick FAQs for those of you unfamiliar with Bitcoin or cryptocurrency.
- What is cryptocurrency? Cryptocurrency is defined as a digital currency in which transactions are verified and records maintained by a decentralized system using cryptography. Here’s a great article that goes into more detail about the “crypto” in cryptocurrency.
- What is a crypto ATM? It is an internet-connected kiosk that offers customers an opportunity to purchase Bitcoin and other cryptocurrencies with cash. It differs from your traditional ATM which allows you to withdraw, deposit, or transfer funds using your bank account. Instead of connecting to a bank account, crypto ATMs are connected to a cryptocurrency exchange network through internet connection. The physical kiosk includes a monitor, QR scanner, bill acceptor, and dispenser. In short, crypto ATMs instantly convert physical currency into a digital form.
- What part does blockchain play in all of this? Blockchain is the underlying technology that supports cryptocurrency. For example, when you purchase cryptocurrency on a crypto ATM, the machine logs that transaction in real time on the blockchain.
- Are crypto ATMs regulated? Yes. In the U.S., Bitcoin ATMs must be registered with the Financial Crimes Enforcement Network and adhere to all anti-money laundering provisions within the Bank Secrecy Act (BSA). BSA law “requires all financial institutions, including Bitcoin ATMs, to assist U.S. government agencies in both detecting and preventing money laundering.”
- Why do crypto ATMs need to be audited? In order to ensure crypto ATM providers comply with the above regulations, a strong, comprehensive compliance framework needs to be implemented. And just having a compliance framework is no longer enough—you need a third-party partner, like BARR, to audit that framework and make sure all security controls are in place and operating as they should.
BARR did just this for Bitaccess through a SOC 1 and SOC 2 report, checking to make sure Bitaccess’s security controls—everything from policies and procedures to access control to change management and beyond—were designed, implemented, and carried out.
Security Best Practices for Crypto ATM Operators
Based on our work with Bitaccess, we thought we’d share a few best practices for other crypto ATM operators from our experienced audit team.
- Understand your commitments. Recognize and fully grasp the commitments to your customers in the environments and locations in which you operate. These will help you define your control environment and highlight higher risk areas when it comes to the security of your customer data.
- Establish internal change management policies. Given crypto ATMs are built on fully cloud-based technology, internal change management policies set by management are critical to maintaining a tight ship in an ever-evolving agile code environment.
- Appoint a designated compliance officer. You’ll need someone who takes responsibility for consistently assessing security controls.
- Train, retrain, and train again. Ongoing employee security awareness training is vital because many of your employees have or could have access to customer data. Be sure to also train them on common cryptocurrency risks, including money laundering techniques, cryptojacking, and other cybercriminal activities.
- Conduct annual third-party audits. Consistent independent reviews are the best way to make sure you have the right security controls in place and that they are working correctly to keep customers safe.
Partner with BARR to identify gaps in your crypto-centered data security plan. Contact us to get started.