Polymarket is reportedly under investigation by the Department of Justice for allowing U.S. residents to trade on its platform, despite a regulatory settlement prohibiting such activity.
Even though the prediction market blocks U.S. IP addresses, legal experts said that this alone may not be sufficient to comply with U.S. regulations, especially for companies with a history of regulatory issues like Polymarket.
Aside from geofencing, the only real way to prevent people in restricted countries from accessing a site is by requiring identification, but this means law-abiding users must trust a platform with sensitive personal data, cybersecurity experts said.
Polymarket’s current predicament highlights long-simmering compliance questions facing the crypto industry. You might call them Very Persistent, Nagging questions.
At the heart of matter is how blockchain protocols or even centralized crypto firms can address the widespread practice of users turning to virtual private networks, or VPNs, to circumvent geographical restrictions imposed by governments.
On Wednesday, federal law enforcement raided the New York home of Shayne Coplan, Polymarket’s 26-year-old founder and CEO. Although it is not yet clear exactly why the raid took place, and neither Coplan nor his company has been charged with wrongdoing, Bloomberg and The New York Times reported the Department of Justice is conducting a criminal investigation of whether Polymarket let U.S. residents trade on its site, in violation of a 2022 regulatory settlement.
Founded in 2020, Polymarket is one of crypto’s breakout successes this year, logging billions in trading volume and hundreds of millions in open interest, or contracts outstanding. Bets on the platform are settled in USDC, a stablecoin, which is a cryptocurrency that trades one-for-one with dollars.
Traders use the prediction market to bet on the outcomes of real-world events, everything from whether Jake Paul or Mike Tyson will win their boxing match to which actor will be next to play James Bond.
But the most popular subject by far has been the U.S. presidential election. Polymarket odds ahead of the vote presciently signaled that Donald J. Trump was in the lead while polls showed a tossup. In the weeks leading up to the election, media reports speculated that the market was being manipulated to show Trump ahead, potentially as a way of somehow influencing the outcome, but prediction market experts found the evidence for such claims wanting.
A Polymarket spokesperson called this week’s raid political retribution by the outgoing Biden administration for correctly predicting Trump’s victory – an interpretation widely echoed on social media. If that take is correct, the investigation may be short-lived, with a crypto-friendly president-elect set to take office in January.
Even so, the situation underscores broader questions that may need to be addressed if the new administration and Congress try to foster a more accommodating environment for digital assets.
Polymarket is forbidden to serve U.S. residents under a 2022 settlement with the Commodity Futures Trading Commission. It has been blocking users with U.S. IP addresses from trading.
But crafty American traders have been using VPNs to disguise their locations to bet on the platform. (CoinDesk verified at least two such cases).
Unlike regulated financial middlemen, Polymarket does not collect customers’ personal information. Aside from an IP address, it has little way of knowing where its generally pseudonymous traders are located.
That’s the rub, not just for Polymarket but for a host of crypto entities trying to avoid U.S. jurisdiction, such as projects that “airdrop” tokens.
What can companies that geofence the U.S. practically do to prevent Americans from accessing their services through VPNs? And what does the government expect firms to do?
Practical questions
According to privacy and cybersecurity researcher Runa Sandvik, the main thing a company can do to prevent people in restricted jurisdictions from accessing its services is to make them go through a know-your-customer (KYC) process.
“They’d need KYC,” she told CoinDesk. “It’s too easy to get around simple IP address blocks.”
Of course, KYC has downsides for users, including law-abiding users, who are asked to share sensitive personal information.
It “adds more friction to the sign-up process because you need to verify your identity; also need to trust the site is going to keep your data safe,” Sandvik said.
Aaron Brogan, a crypto industry lawyer, said that hypothetically, a company could strengthen IP address blocks by incorporating GPS data from users’ mobile devices, “but this might be impractical in commercial use.” A customer using a laptop without a GPS, for example, might have a hard time logging on without two-factor authentication.
Other ways to mitigate risk would include “not advertising into the United States, clearly stating on all relevant products that they are not available to U.S. users, and so forth,” Brogan added.
Polymarket has a mobile app available to U.S. users, but it only displays the odds generated by its markets and does not enable trading. The company has marketed aggressively on social media, but such platforms are global by definition.
One thing companies can do is to “monitor for users who change their IP address in a way that suggests the use of a VPN to circumvent a geofence,” wrote Jake Chervinsky and Daniel Barabander, chief legal officer and deputy general counsel, respectively, for venture capital firm Variant Fund, in a Sept. 30 blog post.
“For example, if a company observes a user attempting to access a geofenced product using a U.S. IP address and then immediately reconnect the same wallet address or account using a non-U.S. IP address,” that’s a sign of a wily American trying to get around the geoblock. An exchange could then block the rascal’s account or wallet address.
Generally, “it is an open question whether companies need to block all VPN use,” Chervinsky and Barabander wrote. However, “regulators have cited screening IP addresses against known VPNs as a positive factor for effective geofencing.”
Last year, in settling sanctions violation charges against CoinList Markets, the U.S. Treasury’s Office of Foreign Assets Control approvingly noted that among other remedial measures, the San Francisco-based crypto exchange had invested in “tools to detect the use of VPNs that can obscure users’ location.”
Legal obligations
Part of Polymarket’s challenge is that, having previously settled with CFTC, it may be held to a higher standard than a company with no history of running afoul of the U.S., said David Ackerman, a seasoned compliance executive and lawyer.
“A company that did not have a track record of violations, practically speaking, is held to a different standard,” Ackerman told CoinDesk. “Now, obviously [Polymarket] had a track record of violations, and they had a settlement. So the standard of care for somebody like that is going to be different.”
In Ackerman’s view, simply blocking IP addresses from the U.S. would not be sufficient to comply with such an order.
“Geo-fencing is one thing, but it isn’t very easy. Everyone has to KYC,” he said. “So if there is a discrepancy between the information provided in the KYC and the IP address that is being used, that is a very easy monitor.”
Brogan said geofencing should be viewed as “more of a risk mitigation strategy than a legal strategy.” The Commodity Exchange Act, which appears to be the law Polymarket is being investigated under, “likely applies whenever an entity is, in fact, serving U.S. Persons.”
In a 2018 speech, Brian Quintenz, then a CFTC commissioner, articulated a forgiving standard for determining whether blockchain projects are liable for user behavior.
The “appropriate question is whether these code developers could reasonably foresee, at the time they created the code, that it would likely be used by U.S. persons in a manner violative of CFTC regulations,” Quintenz said.
Since that speech, Brogan said, “there has been a sense among some practitioners that taking steps to block U.S. persons might forestall enforcement, but that is not necessarily what the law says.”
The CFTC’s 2022 order against Polymarket “required them to wind down non-compliant markets but did not specify what that compliance would require,” he said. “I don’t know if the CFTC told them privately that geofencing was sufficient, or if they’ve just been in détente for two years.”
Polymarket isn’t a regulated organization in the U.S., and the entity that operates it, Adventure One QSS Inc., is formally organized in Panama, according to its terms of service. But that doesn’t necessarily mean it can ignore U.S. law, according to Ackerman.
A “common misconception is you need to domicile in the country in order for their laws to apply,” he said. “So long as your business has an effect in the jurisdiction, you are usually held to their laws.”