Enrique Palacios: “Having a 'compliance first' vision provides a great competitive advantage”
On this page
Table of contents
Enrique Palacios is Head of Compliance & Legal at Bit2me Security Token Exchange. An economist by training, with international experience in banking and consulting on blockchain projects, he has worked in recent years in the Compliance and Fincrime area of Onyze, and has collaborated with the EBA (European Banking Authority) on issues related to money laundering with crypto assets, such as the Travel Rule.
"Continuous training is key," says Palacios, who also considers it essential that there be "a consortium in the industry in Spain to have a multi-level presence in the various European institutions."
Question: How does an economist end up specializing in compliance and financial crime prevention in the cryptocurrency sector?
Answer: It's a very good question. I'm an economist by training, but let's say I've been gradually dedicating myself to this area. I've worked in banking in different positions and in different markets. Let's say I'm a Compliance Officer due to market and product knowledge. When I joined Onyze, everything was yet to be done. The part that motivated me the most was Compliance and anti-money laundering, as I could apply the banking compliance experience I had after being an investment director in Ireland. I met the capabilities of a compliance officer that the EBA (European Banking Authority) guidelines consider necessary, in addition to communication skills, good engagement with the regulator, and industry knowledge. It also helped to have that curiosity for the new and to want to stay up to date with regulations in both the traditional financial world and the crypto sector.
In that sense, with almost everything yet to be done, generating the regulatory standard is very attractive, especially when you come from a highly regulated industry. But it's very appealing and exciting to be able to help create the first regulatory layer by being part of different committees along with the regulator. In short, knowledge of technology and new financial business models, along with knowledge of more traditional regulation, have made me specialize in this area of knowledge, which I believe is necessary for the scalability of the sector, generating trust in the institutional sector, and offering financial services based on blockchain technology.
Q: You've been collaborating with the EBA (European Banking Authority): how has that experience been?
A: It's been spectacular. The fact that from a startup I could apply to the EBA and be selected to contribute my grain of sand is quite a milestone in my opinion... Well, I link it a bit with the first question. They were asking for knowledge of blockchain technology, crypto assets, and banking experience. It was like, "Well, maybe I can fit in." And so it was. I think being part of a European committee, advising on how to adapt fund regulations to the crypto world, the so-called Travel Rule, has been a spectacular experience, especially seeing how these bodies work, and verifying the amount of talent and knowledge they dedicate to new financial services. The possibility of sharing and debating with other industry colleagues and regulators from other countries was incredible. I had never been on a committee at this level before.
The experience and being able to debate such important issues as European fund transfer regulations, and the prevention of money laundering in the crypto world where your opinion is taken into account for being in contact with the user and seeing the impact of regulations in practice, is very important. You realize the importance of having an industry consortium in Spain to have a multi-level presence in European institutions, especially on new technologies and services where we are going to compete with the rest of the countries that make up the EU.
Q: With Onyze, your last work experience, you applied customer knowledge (KYC) and anti-money laundering (AML) controls even before being obligated subjects. What advantages does trying to stay one step ahead of regulations bring?
A: To answer, I'm going to take a step back. The fact of creating a team with new technology, a young multidisciplinary team, made up of criminologists, lawyers, and economists, who had little experience in regulated sectors but with a common denominator, they know blockchain technology and have tinkered with cryptocurrencies, is an advantage to be able to advance and evolve quickly when regulation arrives. Let me explain: when you enter directly into a regulated sector, there are barriers that you cannot cross. On the other hand, when you work with people who have the freedom to act, despite knowing that regulation will come, you can move much faster. The team has gone without ties from the beginning, and then approaches theory from practice. That's why the philosophy of 'compliance first' allows you to adopt different tools from scratch, technological tools, to be able to modify and change them throughout the entire journey. For example, when one works in a bank, one knows that these regulatory infrastructures are very difficult to change. However, when you go with this modular mentality, knowing that you will have to adapt to changes, as startups do, it's an advantage. Therefore, having technical skills and modular adaptability to regulation is a factor to consider. And then, obviously, it provides you with a very clear competitive advantage. Over the last few years, we have seen companies that are born within the tech world, and they don't have that regulatory awareness, they ignore it and are reactive. And they find that when regulation comes, they have very big problems adapting.
Even in some jurisdictions like Estonia, many projects have had to close because of this. In this way, this vision of 'compliance first' helps a lot. And it's not something common in the sector, not even in traditional banking. But it did give us a great competitive advantage at the beginning.
Q: What key aspects should crypto companies take into account to comply with the new regulatory requirements in Spain?
A: Product and technology knowledge. A compliance officer in this world is not only useful for knowing the regulations. There's a brutal migration of talent coming from the traditional regulatory compliance branch to technology, and that transition is hard, because there are regulatory concepts that are only known or understood when you really know the technology and the regulations would be applied in a biased way. If, for example, you know blockchain, and you know the concept of flash loan, a loan that you grant yourself, that is only executed if certain parameters are not met...
If you explain it to a person who comes from traditional regulation, their head explodes. And there are many examples of this style, not just this one, because there are many tokenized products and services that can already be done with blockchain technology. An example is Didit, your product, which is very transversal. With other future regulations like MiCA, it will be necessary for people who are on boards of directors to have knowledge and experience about all this.
From what we are seeing today, it is difficult to find people who really meet these capabilities, so initially this needs to be compensated with training, hence the proliferation of specialized programs.
Q: What do you consider to be the best practices for implementing a KYC and AML process?
A: First, be clear about what the business model is. It's not the same a B2B model, oriented to companies, as B2C, oriented to users. You have to know how to define it. And then, know if you are an obligated subject or not, or if you are going to have relationships with obligated subjects, how they do the onboarding, if they comply with the Organic Law on Data Protection... all those things can influence you.
Second, consider whether you do it in-house, trust external providers, or both, which is the case we had at Onyze. It all depends on the strategic vision of the product being made. Do you do it yourself and invest and not depend on third parties? Or yes, well. That would obviously lead us to a third leg for me: knowing the providers. It's very important to do a market prospection of digital identity, Screening, blockchain analytics... Then there's also the knowledge of risks. We talk about AML, money laundering... but risk prevention in the crypto world goes beyond that.
Knowing and working on them is important ex ante and ex post in internal and external processes.
Q: I understand that technology played a fundamental role. Can you be compliant without it? Are the processes better or worse?
A: You can have a vocation for compliance, but in this highly technological sector, it's very complex. It's always said that compliance officers must have autonomy, independence, be supported by senior management, and have resources. And many will tell you that they don't always get the support they would like. For me, when you start a business or project from scratch, compliance must go hand in hand with the business model. If the business doesn't work, of course, it will be complicated, but I don't see it as a support department, as it's often understood from management, but as a fundamental part of the business. It's capable of positioning you with an advantage in industries with very innovative technologies where regulation is yet to be developed, such as blockchain or AI.
But without technological tools, it's complex, and more so in the crypto world. In many cases, you'll need a powerful tool that identifies risks in transactions and wallets, that allows you to obtain reliable data and that complies with anti-money laundering regulations, fund transfer regulations, and data protection regulations. And without this, it's difficult.
Q: We've talked a lot about rules, regulations... but how do compliance processes affect the user experience?
A: Here we're always talking about the classic question of innovation and regulation, and how they have to fit together. Obviously, innovation always goes ahead. The ideal, for me, is to have the 'compliance first' approach, but always go hand in hand. Although it's complicated to make a predictive vision in these cases. To avoid, precisely, advancing certain processes that are cumbersome after rectifying and making double authentications, or having to ask for the data again or having to make other requests, the ideal is to have a technology that helps you.
And I think Didit can help a lot to make the user experience smoother, because it complies with eIDAS and other regulations that insist that you don't have to ask for data again. In any case, it's important to know that providers comply with GDPR and the Organic Law on Data Protection, to know how information is stored, how it travels, or if the data is in the same repository. For example, Law 10/2010 allows this casuistry, although it's true that, in the case of banks, they don't like to give this information. In short, we must tend towards balance, because with a bad user experience, customers are lost.
Q: MiCA is just around the corner, what do you consider to be the main challenges for the crypto sector in Europe with the entry into force of this regulation?
A: With MiCA, the sector is institutionalized. It establishes the standards for providers, issuers and normalizes the services they offer and those they cannot offer, avoiding the legal problems they have, for example, in the United States. It obliges you to comply with capital prevention and market laws, requiring licenses for providers to be able to operate. For those of us who have been in the sector for many years, it was very difficult to get any kind of relationship with a financial entity due to the lack of a regulatory license, having one is a fundamental step. Also, putting ourselves in the consumer's shoes, it protects them.
We have seen the amount of fraud that has occurred in the crypto world. Now, the consumer is protected and can claim. It also opens the possibility of operating in all member states of the European Union. Now, with a national license, it can serve you to work in the rest of the countries. In short, I think it's going to change the rules of the game. For example, before, if you wanted to offer a service that is global, you had to register in each country, adapt to different regulations... and that's a setback. I think this is going to give an important boost to the sector and normalize it.
Although, as I say one thing, I say another. There are many people who say that the MiCA regulation is already born outdated. It could be. In fact, I see it very possible that in a couple of years, a second version of MiCA will be issued that includes those gray areas that they have not yet dared to add: De-Fi protocols, pure NFTs and DAOs, normalizing staking and lending. But without a doubt, what it's going to give a boost to is stablecoins, specifically EMoney Tokens (EMTs) which are the killer apps of the sector right now. In fact, we are seeing how some large American projects like Circle with its USDC and EuroC currency after MiCA comes into force, have come to Europe for the legal security they find here.
Q: Do you think greater regulation will favor the adoption of crypto assets by institutional investors and the general public?
A: From my experience of having lived through the sector crisis in 2018, it shows that self-regulation has not been fulfilled. Many people were scammed. As it has been regulated, the industry has begun to have a specific weight as such. It's curious, because the crypto industry has been one of the few that has gone the opposite of what is considered natural. When a financial product or service is born, it comes from top to bottom: institutions support it and it expands through the retail sector. However, in the crypto world it has been the other way around. And, institutions have been accepting little by little. But I do believe that regulation is fundamental for the sector to grow and scale.
Q: Let's say I want to develop as a professional in the world of regulatory compliance, specialized in cryptocurrencies, what advice would you give me?
It's essential that you are passionate about technology and regulatory compliance. Get down to the nitty-gritty and see how a smart contract is programmed, be familiar with terms like API, nodes, solidity... having basic knowledge of the technology is fundamental. You have to put a lot of passion into it, train yourself in business models and regulation. And be very flexible. In many cases, it's talked about unlearning to learn again.
You have to make a quantum leap to understand how Bitcoin (BTC) works, which is the basis for me, and from there, start trying to adapt with knowledge of the technology. For me, as I say, knowledge and formal training are fundamental. Sign up for courses, events, search for information on the internet... Now there is much more information. In 2017 it was difficult to even find people to exchange knowledge with... then meetups and the Blockchain Spain initiative emerged, from which great professionals in the sector have come out. Now there is much more information, programs, events both at a national and global level.
Continuous training is key: you miss a month of vacation and when you come back you're lost, because everything advances at an incredible speed.
Didit News
Enrique Palacios: “Having a 'compliance first' vision provides a great competitive advantage”
