We use cookies to give you better functionality and analytics. By clicking below and accessing our website, you're agreeing to our use of cookies, our Privacy Policy and Website Terms of Use. Check our Cookie Policy for more details.


Not All Regulated VASPs are created equal: FTX and the lessons learned


Why are the ‘Access Points’ to Virtual Assets so important?

We live in very interesting and challenging times. On one side, we have young and innovative people all around the world who are motivated to promote and develop the application and use of new technology, with new efficiencies, and to generate new accessibility options from around the world to new products, services and assets. The ‘democratisation of finance’ is one of the principles around the development of blockchain based virtual assets and infrastructure. However, on the other hand, there are challenges. What are the key ‘access points’ to these new assets and services? How do users around the world gain access to these markets? Is it simply an internet connection? If the access points, in this case a regulated Virtual Asset Service Provider or ‘VASP’  such as FTX, cannot provide safe and secure entry and exit points to this ecosystem, then how will it develop into a wider, global and secure market? This is really where there are such significant differences between Xapo and other platforms and service providers around aiming to act as secure market access points or avenues to these markets.

The Regulated VASP Standard. What does this mean?

So how is that the case? Most people understand that a large percentage of the world’s access to the virtual assets space are through regulated VASPs. But what does that mean and what does it mean to be ‘regulated’? Well, one of the core objectives of regulation, and of running a regulated business should be to protect and benefit people and to create secure economic environments for businesses to flourish. However, in reality, many countries have only aimed to introduce ‘VASP regulation or registration’ regimes that basically focus on questions of AML and KYC compliance. Unfortunately this does not  always lead to a ‘regulated VASP’ being managed and operated in any way like a traditional regulated financial services business. While consumers almost always have a good degree of ‘trust’ in a regulated Bank for example, should they have the same level of trust in a regulated VASP? Are all ‘regulated VASPs’ built or structured taking into account the core principle of consumer protection? Are all regulated VASPs required to comply with basic principles of risk management, internal controls, resilience, capital adequacy, insurance, customer care and consumer protection, honesty and integrity? No, they are not. Are all regulated VASPs subject to the proper prudential supervision of a regulatory authority? No, unfortunately this is not yet the case in most jurisdictions in the world. It is, however, absolutely the case for Xapo which is regulated in Gibraltar to the highest global standards that exist for any VASP.

Why is this so important today? Well, when we look at the FTX issue, a “regulated VASP”, it simply cannot have been the case that they were complying with these principles. You would not need to take this from me, but take it from the newly appointed CEO of FTX John Ray in his declaration in support of FTX’s bankruptcy filings:

“Never in my career have I seen such a complete failure of corporate controls and such a complete absence of trustworthy financial information as occurred here. From compromised systems integrity and faulty regulatory oversight abroad, to the concentration of control in the hands of a very small group of inexperienced, unsophisticated and potentially compromised individuals, this situation is unprecedented[1]"

Gaps and the ultimate cost to Consumers

This really highlights the significant gaps that existed in the regulation and oversight of FTX, and  the lack of the application of core principles of security and regulation. Perhaps most importantly, the segregation and protection of client assets. How could a regulated platform like FTX be allowed, or not be sufficiently well monitored to restrict, access or use of customer assets for the purposes they have been allegedly used? How could the FTX token, FTT, be structured under arrangements where the tokens were being bought back by profits of the FTX platform, which arguably links the value of the asset to the performance of an exchange? Worse, how could the FTT assets then allegedly be used as collateral by Alameda to fund its own activity? We don’t need to talk about appropriate conflicts management between FTX and Alameda, or even basic corporate governance principles, but if all of this activity falls under the purview of a head of risk management who has less that 2 years of experience (so we are informed), no one can honestly be too surprised that this can happen. 

Everyone should be even less surprised that this could  happen when the CEO of the same business could make such core errors in (public) statements that the platform had plenty of liquidity to facilitate redemptions. It would have been of little comfort to the world to read this being corrected by the same CEO then stating that ‘he couldn’t have got it more wrong.’ But how could he have got it so wrong? FTX’s business in perpetual futures allowed traders to trade crypto derivatives which could naturally be significantly leveraged. Was that not understood by the CEO of the business or will it become clear that this was also an issue beyond that?

Not All VASPs are Created Equal: Trust, Governance, Balance sheets and Experience

Unfortunately, consumers do not typically understand the difference between ‘regulated VASPs’ on the basis of where or how they are regulated. I would also not expect an average consumer to conduct due diligence on a VASP before opening an account. However, how a VASP is regulated is extremely important and in that context, Xapo expects to be a core pillar of the flight to safety and security. Why? 

  1. Having a USD account at Xapo Bank means that your interest-bearing USD balances are held at a fully regulated and capitalised Bank, and automatically fall within the protection of a statutory deposit guarantee scheme, held at a fully regulated and capitalised credit institution and Bank. 
  2. Holding BTC at the Xapo VASP does not expose you to any form of trading, lending or leveraged activity. The regulated standards which apply to Xapo simply do not allow it access to member BTC, as these must be maintained in a segregated account. Xapo VASP is regulated in Gibraltar, and under the applicable ‘Protection of Client Assets’ Guidance and regulatory principle, Xapo is required to have effective arrangements in place for the protection of client assets. It is also required to have taken precautions and established corporate controls to protect customer assets and monies against any eventualities and threats, as well as to maintain custodial assets, completely segregated from the VASP’s own assets and monies.
  3. Xapo has been involved in the crypto space since 2013. We have evolved over time from a Bitcoin wallet, to a custodian, to an e-money institution, to a Bank. We understood from day one that building trust through regulation, security and a strong balance sheet were key. Our balance sheet has 26,000BTC that we use as a first loss protection layer for you, so you can rest assured your money is safe with us. This simply does not exist with any other VASP in the world. 
  4. There are separate capital requirements that apply to the Xapo VASP beyond the protection of client assets, and separate and specific risk management, resilience and business continuity plans that the company is required to maintain and report on to the regulatory authority. 
  5. There are separate governance requirements that apply to each of the Xapo regulated entities and we are proud to maintain a heavyweight board and management team which is assessed based on its composition, the balance of skills, experience and knowledge of the products and services being offered.

It will be too detailed to provide a forensic analysis of the comparison between the Gibraltar DLT/VASP Framework and other simple ‘registration’ regimes that exist around the world in this one article. However, there are extremely substantive differences which we are happy and proud to comply with, in the interests of our members. We will cover these in a future write up, so please keep up with us on our social pages - LinkedIn, Twitter, Facebook and Instagram. You can also contact us with any specific questions you might have. . 

Our objective is to ensure that we can provide the most secure, stable and trustworthy access points to BTC and USD in the world, as well as other emerging and modern units of value moving forward. These principles are completely unaffected and remain completely unchanged as we continue to develop and service our members around the world.



[1] https://www.documentcloud.org/documents/23310509-john-ray-declaration

Share article
A woman's hand on the sea backgroundA woman's hand on the sea background

the bridge between
Bitcoin, US Dollars, and stablecoins