We have a couple of things in place. When an employer is running payroll: they have 2 points to review (both employee and their payroll as a whole) the totals in USD, 2FA step, and then there's a countdown before payroll begins to run (which they can opt to rush if they so decide).
We have policies and tech in place to make sure that when we're distributing we can guarantee that payouts happen as we expect.
Fraud/risk - Bitcoin itself doesn't increase our fraud/risk. We follow a KYC process for all of the companies and employees on our platform. These are companies paying employees. These companies and employees are liable for their payroll taxes and income taxes and keep records of this for them. The employees themselves are responsible for maintaining their Bitcoin wallets. We verify that a wallet has a real address, but the risk for losing money forever if they enter the wrong address is the same as if they were transferring from one of their wallets to another using any other Bitcoin service.
Yikes, I disagree highly. You are operating a service that allows people to transfer USD from bank accounts into a relatively untraceable, irreversible currency. You will absolutely become, if you are not already, a big target for fraud.
The most common pattern we see is people trying to pay other bank accounts using a stolen bank account number. I don't think your ACH provider will care if the money is in bitcoin if you did not have authorization to pull that money in the first place.
All I'm saying is, your KYC process can and will fail, make sure you know your liability to your ACH provider/bank.
Thanks for the note, and the concern. It is an issue.
The risk I think you're saying is: if we charge a company with a stolen bank account and pay in bitcoin, it's irreversible. That's true. We're mitigating this — that's why there's an ACH chargeback period that we wait out. And why we verify bank account ownership before charging. These are standard KYC rules that we have to comply with before accepting a company on payroll, and charging bank accounts is all done on the company side. I hear that they might fail, but we're not allowing anyone to run payroll and pay out in high volumes (eg. 80+%) of BTC to start with until they've been manually verified.
We've checked this through our lawyers and via Fincen, and we're mitigating risks every way we can.
Yeah, sorry, I definitely don't mean to imply legal liability so much as financial liability. No one will really care legally (about you), you'll just be on the hook for the money.
As I said before, it's not a matter of whether or not your KYC process will fail, it's simply when and what happens after that. It sounds like you have your head in the right place, but I can tell you from experience that verifying bank account ownership and expecting the ACH chargeback period to be sufficient to protect you is not enough (for one thing a lot of banks are simply not great adherents of the ACH rules). You're essentially on your own, and you'll need to protect yourself, not just "follow the rules," if that makes sense.
> and charging bank accounts is all done on the company side.
I'm not sure what you mean by that.
Anyway, my contact info is in my profile and I'd love to chat more off-HN about this and compare notes against what you guys are doing.
We do have measures in place to protect ourselves and we appreciate your comments. There's always more that we can do.
It's also worth noting that an employer and employee have given all of the normal KYC information and have connected bank accounts so while the BTC wallet is "anonymous" on the network, we can link it to a specific person. The danger is near the same level as someone getting the money via ACH and immediately withdrawing in cash. (Many banks immediately mark the deposit as not-pending).
I'm not saying that there's not risk. Just that the risks are fairly similar even though the network is different.
Also I think what Tony was saying about debits only company side, is that we're only debiting company accounts which does decrease the fraud level vs a situation where we allowed an a personal account to be debited and money sent somewhere.
We have a couple of things in place. When an employer is running payroll: they have 2 points to review (both employee and their payroll as a whole) the totals in USD, 2FA step, and then there's a countdown before payroll begins to run (which they can opt to rush if they so decide).
We have policies and tech in place to make sure that when we're distributing we can guarantee that payouts happen as we expect.
Fraud/risk - Bitcoin itself doesn't increase our fraud/risk. We follow a KYC process for all of the companies and employees on our platform. These are companies paying employees. These companies and employees are liable for their payroll taxes and income taxes and keep records of this for them. The employees themselves are responsible for maintaining their Bitcoin wallets. We verify that a wallet has a real address, but the risk for losing money forever if they enter the wrong address is the same as if they were transferring from one of their wallets to another using any other Bitcoin service.