[ANN] Changes to AML Policies - Mt.Gox

[marcus_of_augustus]

Why would anyone in their right mind give Gox this much personal information when they can't even keep passwords safe?

Big, fat honey pot waiting for the bear to show up ... sounds like he is snuffling around the door, no?

[miernik]

Due to a increased amount of forged documents being received by our AML department, we will be adding extra provisions to our AML requirements starting immediately(*).

Well, OK, but can you please accept bank statements instead of utility bills?

I am a permanent traveler and don't have any bills/residence, but it doesn't mean that I don't exist!

How can I verify my account?

With a fuel bill from the petrol station or what?

[miernik]

SEPA transfers can potentially be reversed. Any time you deal with reversible methods verifying identity reduces risk.

SEPA transfers potentially reversible? How did you get that idea?

I have never heard of a single SEPA transfer being reversed, and I do read a lot about financial transactions in Europe, are on many groups and forums, and I would have heard about it if it was the case.

There are no more reversible then mailing a bunch of cash in an envelope to someone by mail.

AFAIK to "reverse" a SEPA you have to sue the recipient claiming you made a mistake, get a court order, and then a debt collector to get the money from the recipients account. That's the closest to "reversing" a SEPA as you can get.

Maybe you heard about SEPA direct debit being reversible, and made wrong conclusions? Direct debit is reversible, but that's a transfer initiated by the receiver - so like MtGox pulling money from your account. A sender-initiated SEPA transfer is not reversible (without suing).

[zer0]

SEPA transfers can potentially be reversed. Any time you deal with reversible methods verifying identity reduces risk.

SEPA transfers potentially reversible? How did you get that idea?

I have never heard of a single SEPA transfer being reversed, and I do read a lot about financial transactions in Europe, are on many groups and forums, and I would have heard about it if it was the case.

There are no more reversible then mailing a bunch of cash in an envelope to someone by mail.

AFAIK to "reverse" a SEPA you have to sue the recipient claiming you made a mistake, get a court order, and then a debt collector to get the money from the recipients account. That's the closest to "reversing" a SEPA as you can get.

Maybe you heard about SEPA direct debit being reversible, and made wrong conclusions? Direct debit is reversible, but that's a transfer initiated by the receiver - so like MtGox pulling money from your account. A sender-initiated SEPA transfer is not reversible (without suing).

If there is some kind of fraud involved it can be reversed. Same with wire transfers the banks will seek to claw the money back and your bank will just debit -1,000 or whatever out of your account.

It's very hard to get a bank account in Europe where you can receive a lot of incoming/outgoing SEPA. Banks will drop you quickly as it costs them extra money and they don't like doing it. Maybe there's some sort of SEPA payment gateway Gox could use instead of direct payments

[miernik]

If there is some kind of fraud involved it can be reversed. Same with wire transfers the banks will seek to claw the money back and your bank will just debit -1,000 or whatever out of your account.

Source of that information? Did you actually see a single case of this happening?

Any link to SEPA rules/terms&conditions/whatever saying that this can be done?

It's very hard to get a bank account in Europe where you can receive a lot of incoming/outgoing SEPA. Banks will drop you quickly as it costs them extra money and they don't like doing it. Maybe there's some sort of SEPA payment gateway Gox could use instead of direct payments

Never heard of such problems. A lot of financial service companies (peer-to-peer loans, currency exchange, etc) have accounts in Poland, where they receive a gazillion of transfers, and banks don't give a shit about it, never heard of a bank dropping a customer because of it.

Intersango.com SEPA account is in Poland, and isn't that one of the few (only?) Bitcoin exchange account that is there a long time and there has never been a problem with it (dropped/suspended)?

[zer0]

Every single bank has a reversible policy if the transaction is due to fraud, otherwise you can just phish bank accounts and transfer away with zero consequences. Google debtor SEPA payments reverse, or read up on SEPA fraud.

As for banks dropping you every old school Liberty Reserve exchanger on the talkgold forums had said this has happened to them after they started getting a lot of transfers. European banks don't like ecurrency exchangers and bitcoin is included: https://bitcointalk.org/index.php?topic=32604.msg409957#msg409957

If that polish company can manage to do it that's great, what bank are they using? Most banks will just dump you unless you start agreeing to paying SEPA fees

LR/Pecunix and their exchangers have survived for years before bitcoin was even a glint in satoshi's eye learn from their mistakes and how their model has worked over time. There's a reason you can't directly buy into LR, Pecunix or Cgold

[miernik]

Every single bank has a reversible policy if the transaction is due to fraud, otherwise you can just phish bank accounts and transfer away with zero consequences. Google debtor SEPA payments reverse, or read up on SEPA fraud.

I did just Google it, and its all about DIRECT DEBIT reversal! Do you understand the difference between debetor-initiated transfer an a direct-debit (creditor initiated)?

The "you can just phish bank accounts and transfer away with zero consequences" is complete bullshit - no single bank allows you to make a transfer without a one-time password sent to your mobile phone or hardware token.

If someone did phish your account, the bank will surely not reverse the transfer - think about it - everybody could make a transfer to another bank, pay for something, and the call the bank and claim they where "phished" and get the money back. No, they don't! It doesn't work! And I did read many stories of a similar thing on banking forums in Poland, because many banks allowed, and some still do, to make a transfer in the banks branch by handing a paper-filled form with the transfer and your signature - and people had money from their accounts stolen by having the signature forged and the bank teller not noticing it - and the bank did NOT reverse these transfers - not in a single case! They had to sue the bank, and in some cases the bank claimed - its not our problem - sue the teller if you want! If they could reverse the transfer, they would do it, and not go into such lengthy legal battles with the customer - but they can't, and if they lose the case, the bank would have to refund the customer from the banks own money.

If that polish company can manage to do it that's great, what bank are they using? Most banks will just dump you unless you start agreeing to paying SEPA fees

http://www.bzwbk.pl/

But that bank actually charges fees for SEPA (both in/out) to everybody.

But no bank in Poland will actually mind about currency-exchange and lots of transfers. There are lots of currency-exchange private companies (PLN/EUR and etc) doing exchanges through bank accounts in all different banks in Poland. There is even a company http://www.bluecash.pl which has accounts open in 23 polish banks, and provides a service that you transfer money with an internal bank transfer to their account in your bank, and they make a transfer from their account in the bank your recipient is - within 10 minutes - so your transfer arrives in 10 minutes, and not hours/next-day like with normal intra-bank transfer.

And none of these companies has documentation requirements ANYWHERE near the ones of MtGox - none of them requires to send anything on paper, just fill out your data on the web, and off you go! They just warn you that information about transactions above 15000 EUR can be forwarded to a government financial inspector, but nothing more is required to make such transactions.

And even more: two banks in Poland allow you to open accounts completely online, without sending them anything on paper, if you already have an account in some other bank in Poland and send them a transfer from that account - they consider data from the incoming transfer as sufficient identification. And I have an account in one of these banks, and my daily limit for online transfers is 1000000 PLN which is about 250000 EUR.

[antares]

MTGox, I would like you to tell us how many exceptions you have made to the withdrawal limit rules. I.E. cases which you required ID to withdraw amounts less than specified, or proxy cases as we seem to have come to the conclusion that those can trigger ID requirements.

If there are ANY other cases which you are requiring ID then we have the right to know.

I deposit 350btc sell high, buy low, then withdraw a little less than 400 purposefully to avoid having to deal with ID requirements. Now I can totally see my btc being held hostage on some random day that I need the liquidity, so will I get hit?

dude, this is exactly what happened to me.

[bittenbob]

MTGox, I would like you to tell us how many exceptions you have made to the withdrawal limit rules. I.E. cases which you required ID to withdraw amounts less than specified, or proxy cases as we seem to have come to the conclusion that those can trigger ID requirements.

If there are ANY other cases which you are requiring ID then we have the right to know.

I deposit 350btc sell high, buy low, then withdraw a little less than 400 purposefully to avoid having to deal with ID requirements. Now I can totally see my btc being held hostage on some random day that I need the liquidity, so will I get hit?

dude, this is exactly what happened to me.

So we have one case so far. This is a bit disturbing but at the same time I could see a withdraw slightly below the threshold being viewed as suspicious.

[556j]

So we have one case so far. This is a bit disturbing but at the same time I could see a withdraw slightly below the threshold being viewed as suspicious.

Is a withdrawl slightly below slightly below the limit also suspicious?

[bittenbob]

So we have one case so far. This is a bit disturbing but at the same time I could see a withdraw slightly below the threshold being viewed as suspicious.

Is a withdrawl slightly below slightly below the limit also suspicious?

This is what I was referring to. If the limit on transactions for reporting to your local tax agency is $10k and you receive some transfers for $9999.99 then that would definitely raise some red flags.

[bittenbob]

Seems we have another case:

So I have this huge cell phone bill due to an online class I had to take for work.  I logged into Gox and sold some BTC to pay the bill.  I go to withdraw to Dwolla like I have done many times and I get "Your account is currently pending review" and I need to verify.  WTF Gox?  So I decided to buy back BTC and go to another exchange to cash out.  I try to withdraw BTC and I get "Your account is currently pending review".  WTF?  I can't get USD **or** BTC out of Gox?  You have got to be kidding me.  What happened to BTC being anonymous?  So I upload photo ID and read on the forums it could take 2 weeks to get verified.  I'm pretty sure it is illegal to let me deposit money but not let me withdraw it.  Time for a class action?

[Meni Rosenfeld]

So we have one case so far. This is a bit disturbing but at the same time I could see a withdraw slightly below the threshold being viewed as suspicious.

Is a withdrawl slightly below slightly below the limit also suspicious?

This is what I was referring to. If the limit on transactions for reporting to your local tax agency is $10k and you receive some transfers for $9999.99 then that would definitely raise some red flags.

You didn't get 556j's joke.

[BkkCoins]

Exactly. Suspicious how?
Just because someone chooses to withdraw slightly below the limit doesn't mean they did anything wrong. It just means they don't want the hassle of having to go thru an expensive and time consuming ID process.

Let's say you have $600 and want to withdraw but the limit is $500. Are you going to pay up to $100 or more plus wait two weeks and go thru an apostille process just so you can do it in one transfer?

Or are you just going to suspiciously withdraw $400 one day and $200 the next?

Right now it looks like you're better to withdraw $60 / day for 10 days and not have some authority jump on you as being "suspicious". Again, suspicious of what? What makes this desire to get your money any different from anyone elses?

I've been paid $2400 for a sale via Paypal and they didn't even blink at me about that.

If you ask me all this AML stuff is simply Wall St. creating an unfair playing field across the world to squash non-Wall St. banking interests. Everyone knows the US Govt is in Wall St.'s back pocket. Goons and Thugs, just with fancy wording!

[casascius]

So we have one case so far. This is a bit disturbing but at the same time I could see a withdraw slightly below the threshold being viewed as suspicious.

Is a withdrawl slightly below slightly below the limit also suspicious?

This is what I was referring to. If the limit on transactions for reporting to your local tax agency is $10k and you receive some transfers for $9999.99 then that would definitely raise some red flags.

You didn't get 556j's joke.

This year I had a $10k withdrawal limit and withdrew MtGox USD in multiple transfers.  Because of Dwolla's 25cent fee, they reached me as $9999.75.  Someone will probably look at that and call it a red flag and I should be prepared for questions.

[Mt.Gox Support]

Hi everyone.

We’ve had a strong reaction regarding the policy change to our AML verification process. One which we expected and honestly, understand. We would like to clarify a few things regarding this matter and to make sure that everyone is aware of who needs to own a verified account and what does such account offers.

As for today, using Mt.Gox does not require you to own a verified account, and everyone is free to trade with us and exchange Bitcoins within however certain boundaries.

The AML levels we employ are as follows:

1. No verification needed (Level 0)
Being “level 0” has the following limits: A maximum monthly withdrawal of 10,000 USD (or equivalent) capped to a maximum of 1,000 USD per 24 hrs and a 400 BTC withdrawal per 24 hrs without any monthly limit.

“Level 0” is designed for basic users, consumers and Bitcoin enthusiasts where the 10,000 USD monthly cap is enough for most needs.

2. Verified Status (Level 1)
Copy of a Valid ID and Proof of residence (Utility bill...)

Being “verified” has the following limits: A maximum monthly withdrawal of 50,000 USD (or equivalent) capped to a maximum of 10,000 USD per 24 hrs and a 4,000 BTC withdrawal per 24 hrs without any monthly limit.

The verified status is designed for active traders and/or small companies.

3. “Trusted” Status (Level 2)
A Notarized and Apostilled copy of a valid photo ID and Proof of residence. Companies are also required to send a notarized copy of their certificate of incorporation/registration, identity & address verification of shareholders entitles to 10% or more in voting rights, company constitution or articles of memorandum and a copy of Trust Deed for the Trust involved as part of shareholders. Please note that all document required in “level 2” must be sent by priority mail.

Being “trusted” has the following limits: A maximum monthly withdrawal of 500,000 USD (or equivalent) capped to a maximum of 100,000 USD per 24 hrs and a 40,000 BTC withdrawal per 24hrs without any monthly limit.

The “trusted” status is designed for day traders, professionals, and companies.

Please note that any suspicious activities can trigger a level 1 AML request from our side, resulting in the blocking transfers temporarily until the owner of the flagged account can prove their identity.

Also please note that using services like TOR or any public networks where more than one user have a shared IP address(Public school, University...) will automatically trigger an level 1 AML request from our side; this is in order to make sure that you are the owner of the account you are trying to access.

Once again, this AML system that has been put in place in order to not only protect Mt.Gox from fraudulent activities but also to ultimately protect you and your assets.

That said, to make everyone’s life easier and to make our services more user friendly, we are actively looking for simpler and less intrusive ways of verifying people’s identity.

The importance of being licensed

The AML requirements that we employ is really just the tip of the iceberg when it comes to Mt.Gox being licensed; we are indeed working on being fully licensed in several countries to ensure we can continue to do business. Us being licensed will also offer our customers peace of mind when it comes to us holding funds and personal information.

Finally, we all have a part to play here if we want to see Bitcoin succeed as a viable international medium of exchange.  We are doing our best to balance our responsibilities to the financial authorities, while taking into account the needs of our customers.

[Meni Rosenfeld]

2. Verified Status (Level 1)
Copy of a Valid ID and Proof of residence (Utility bill...)

Do I understand correctly that "verified" status does not require an apostille?

The original post in this thread made it seem like the new requirements apply also for "verified", which I think is what most of the negative reaction came from.

For the kind of company that requires "trusted" status, the trouble of getting an apostille is trivial.

[BkkCoins]

These limits seem pretty reasonable considering the amounts of money involved. I'll probably never even approach Level 1 myself.

But I do have a question. You state "public shared IP" causing Level 1 identity check. But it's very common for people to have dynamic IPs for their home service. Mine changes roughly every day pretty consistently. But I do have a web server for my business with a Fixed IP that never changes. So in this case I'd be better to use a secure proxy on that server to access MtGox as it would keep my IP consistent and the same. Do you actually capture user IPs that carefully or is a typical user going to be fine accessing from within the same IP block typical of a service provider? IP tracking seems frought with difficulties. I could see checking IPs against known bad lists and maybe Tor nodes as a more useful form of monitoring.

[Mt.Gox Support]

2. Verified Status (Level 1)
Copy of a Valid ID and Proof of residence (Utility bill...)

Do I understand correctly that "verified" status does not require an apostille?

The original post in this thread made it seem like the new requirements apply also for "verified", which I think is what most of the negative reaction came from.

For the kind of company that requires "trusted" status, the trouble of getting an apostille is trivial.

You are correct, the Level 1 does not required an apostille. Our first announcement was actually more targeted for Level 2, sorry for the confusion

[Mt.Gox Support]

These limits seem pretty reasonable considering the amounts of money involved. I'll probably never even approach Level 1 myself.

But I do have a question. You state "public shared IP" causing Level 1 identity check. But it's very common for people to have dynamic IPs for their home service. Mine changes roughly every day pretty consistently. But I do have a web server for my business with a Fixed IP that never changes. So in this case I'd be better to use a secure proxy on that server to access MtGox as it would keep my IP consistent and the same. Do you actually capture user IPs that carefully or is a typical user going to be fine accessing from within the same IP block typical of a service provider? IP tracking seems frought with difficulties. I could see checking IPs against known bad lists and maybe Tor nodes as a more useful form of monitoring.

In your case you are safe, however if more than one account is accessed from the same IP this will mostly trigger an AML verification.