It’s pleased to share that our client, MX Exchange is officially registered as the 4th Recognized Market Operator – Digital Asset Exchange (RMO-DAX) for trading of cryptocurrency by the Securities Commission Malaysia (SC). Read more here. We in Agmo has been playing a consultancy role to assist the company to build a solid technical architecture and meeting the authorities’ requirement.

Some might think building an exchange is not that difficult judging from the functionalities. In reality, there are quite a lot of detailed areas that you won’t know until you are running the business yourself and dealing with the authorities yourself.

In this article, we will share some of the insights that we have learned throughout the journey.

1. Solid IT Policy

Securities Commission Malaysia has published a great guidelines about cyber risk, business continuity and disaster recovery. Being a RMO-DAX, you need to come out with your own IT Policy to ensure you meet the requirements. Besides, it is also recommended for you to engage external security advisor/penetration testing auditor to ensure your policy is sufficient. We will strongly recommend our cyber security partner (NetAssist) to assist you on this, they also have Security Operation Center (SOC) to help you monitor the risks on 7 x 24 basis.

2. Constant infrastructure monitoring

It is important for you to have automated infrastructure monitoring tools, you can configure the rules, such as performance degradation, access to your backend from an irregular IP address/location, unusual high usage activities and so on. This can be achieved with tools like Application Performance Management tool like Azure Advisor.

3. Market surveillance

How do you prevent pump and dump, front running and other illicit operations? Being a regulated operator, you are responsible to protect your investors’ interest from all these activities. In the market, there are few famous automated market surveillance engine, such as Solidus Labs and Nasdaq Smarts. Basically you need to integrate your order book with the engine, they will alert you when something goes wrong. On top of this, you also need to come out with your own Volatility Control Mechanism (VCM), such as cooling off period, market halt (limit up/down), bot detection, circuit breaker/kill switch (stop certain fiat/crypto pair) and so on. The mechanism shall be designed based on historical market manipulation in some exchanges globally:
GDAX:
https://www.cnbc.com/2017/06/22/ethereum-price-crash-10-cents-gdax-exchange-after-multimillion-dollar-trade.html

Pump and dump:
https://www.lexology.com/library/detail.aspx?g=b92e6b62-0159-450b-b1d2-bdc4cac08748

4. Digital Asset Custodian (DAC)

Being an exchange operator, you will be receiving both fiat and cryptocurrency deposit.

For fiat deposit, the approach is similar like Bank Negara Malaysia e-wallet guidelines, basically a trust account is needed

For cryptocurrency deposit, it is important for the exchange operator to store the assets safely, like using a multi-signature cold wallet. Securities Commission has also launched the DAC guidelines at Oct 2020. There are 2 famous third party providers: BitGo and Fireblocks. This is to prevent incident like CoinCheck hack due to insecure wallet usage.

5. Know Your Customer (e-KYC)

Just like e-wallet and other Fintech applications, it is important for a regulated exchange to verify their investors’ identity, to ensure he/she is who he/she is as claimed. A e-KYC process typically involves 4 steps OCR (retrieve name, IC) from the ID card, landmark detection (to check the ID card has necessary security features), facial comparison (to compare the user’s selfie is same as the ID card), liveness detection (to ensure the selfie is a human, not a static image). There are couple of e-KYC provider out there, such as Onfido, Jumio and others. If you are primarily targeting Malaysian users, we will strongly recommend our partner, Innov8tif, their e-KYC product is proven solid and robust, trusted by many big brands.

6. AML/CFT/PEP

The next part, you also have to check if your customers are blacklisted in money laundering or terrorists database, or they are from a sanctioned country, or they are a Political Exposed Personnel? They are few common providers, such as Lexis Nexis, Refinitiv and Thomson Reuters.

7. Know Your Transaction (KYT)

How do you know if the cryptocurrency withdrawal is going towards a group of illegal owners? (such as Ransomware group)  There are cryptocurrency specific technology, such as ETHProtect and commercial providers, such as Chainanalysis and CipherTrace.

8. Solid Cloud Infrastructure 

How do you cope for high transactions when there are a lot of users? How do you continue your business when your data center is down for whatever reasons? You would need to have different mechanism to cater for different cases, such as DDoS attack protection, Web Application Firewall, Application Gateway, Failover Clustering and etc to ensure you have high scalability, high availability and high security.

9. Others

There are many other details that you will only come across like partial order matching, real time notification with subscribe/publish pattern (Signal-R/WebSocket), reduce crypto gas fee during sending to other users in same platform, crypto-services integration like Geth/Bitcoin Core for blocks confirmation and many more.

All above will involve a lot of monetary, time and technology investment. Still interested to build an exchange after this? Write to us at [email protected]