The Inlock platform prioritises the highest level of security for our clients’ assets and data, using a range of features and processes, such as independent asset and custody management; high-value asset insurance that covers losses from cybercrime and technical issues; over-insured collateral management; the ability to liquidate collateral; and security-focused product development.
The following paragraphs explain our practices on asset security and the regulatory aspects of the Inlock platform in further details.
General aspects of crypto assetsCryptocurrencies are not legal tenders, so in practice there is no such thing as deposit insurance on this market. Cryptocurrencies are not covered by any national or other extended deposit or investment insurance. Clients should accept that cryptocurrencies are high risk assets, where there is always a chance that the value of a particular crypto coin could change significantly in any direction, or that the network protocol for a particular crypto asset contains a flaw that could significantly affect its value. Cryptoassets are currently unregulated or under-regulated in most jurisdictions. However, jurisdictions are working to develop a legal framework for these assets. Clients should accept that the Inlock platform has no control over the volatility of the value of cryptocurrencies, their potential technological challenges or regulatory risks.
Considering that the risks of cryptoassets are significant, they are definitely not comparable to the financial products provided by banks. Inlock nevertheless strives to provide its clients with bank-level asset protection through its well established technology and business security processes. The main elements of this are described below:
What is Inlock’s practice on this?
The business processes of the Inlock platform are fully automated. This includes the management of deposits/withdrawals, allocations and collateral.
The Inlock platform uses a complex system for customer habit analysis that helps us to detect unusual events efficiently. In such cases, the operation can only be executed after manual approval. Thanks to the established process, it has been possible to detect and prevent the compromise of user accounts on several occasions in recent years.
Inlock only provides secured loans to its borrowers. In all cases, the collateral is a cryptoasset that is suitable for quick liquidation. By liquidating the collateral, the platform ensures that there will never be a situation where the value of the collateral is lower than the value of the debt in the loan transaction. This ensures that our clients using a Savings Account are fully repaid in all cases.
Liquidation: the process where the collateral that was received in exchange for an asset lent out is sold at market price. This occurs when the risk of undercollateralisation of the borrower’s contract is high (>96% LTV).
Inlock (unlike most other market participants) holds the collateral ONLY for liquidation purposes, so the collateral will not be re-lent, invested or otherwise used even if the over-collateralisation of the underlying loan transaction would allow it.
Liquidity objectives: Inlock aims to provide free liquidity to the largest institutional players in the market, using the funds that was deposited by clients in the Savings Account as a source. The service provides fresh liquidity to large market participants (e.g. stock exchanges, trading houses), which allows them to keep their fees low.
Inlock has proven several times that it can liquidate collateralized assets efficiently. During the course of our operation, we had the chance to liquidate millions of dollars of assets in a short period of time. Thanks to strict operational rules and full automation, there has never been a single case of an under-collateralised loan transaction during the operation of the platform.
The exclusive asset manager for the Inllock platform is Fireblocks, whose SOC 2 Type II audited security infrastructure storage system has been audited by E&Y. Inlock has a high level of dedicated asset insurance to complement its Fireblocks service, which covers loss of assets due to cybercrime and also technical issues.
Asset insurance: The insurance between Inlock and Fireblocks aims to protect the part of the client’s assets that are not currently lent out. The value of the liquid assets must never exceed the value of the insurance, so under-insurance cannot occur. Our clients can’t directly enforce any claim with the insurance company, nor are they entitled to see the details of the asset insurance due to the nature of the business relationship between the contracting parties.
For more details regarding Fireblocks’ insurance, please visit the service provider’s website. Some highlights of the policy:
Fireblocks has a unique insurance product that not only covers stored assets, but also assets in motion (for example within Inlock or between Inlock and its partners), which makes it unique in the market. This is particularly important in a market where technology risks are high, as Inlock’s business model is based on the active management of stored assets, with the lending of assets and the management of collateral being an essential part of this.
Inlock’s security system has been designed by professionals with extensive experience from the bank industry, who have been involved in the design, implementation and monitoring of active protection systems for 20 years.
Inlock runs an ongoing bug-bounty program, where everyone has the opportunity to report any security issues that are discovered or identified in exchange for a high reward.
The Inlock platform does not transfer any hidden risks to its clients. The collateral deposited by the borrower is stored exclusively in a (hardware) cold wallet, from which it is only withdrawn when it needs to be liquidated or when the client has repaid the loan.
The Inlock platform does not provide any financial advices. In all cases, clients use the platform by their own decisions, without the platform providing any tips or advice. The platform does not automatically or intuitively perform any action on the client’s loans, unless the client has pre-set this by their own choice.
Inlock is not in a position to evaluate the appropriateness of liquidity in case of borrowing. Objective aspects are considered in each case. If there is a risk of under-collateralisation of a contract, the platform automatically initiates the liquidation of the collateral. These processes cannot be stopped and cannot be reversed. Our clients requesting a loan should be aware that cryptoassets are highly volatile products, where there is a high risk that a sudden fluctuation in the exchange rate could result in a sudden sale of collateral that the client requesting a loan may find difficult or impossible to react to. In order to ensure this, Inlock does not give the possibility of withdrawing cover from contracts, even if the market would otherwise allow it.
Within Inlock, each client may only manage his/her own assets. In particular, illegal deposit collection through an intermediary, fiduciary asset management, including group or multi-level schemes, is prohibited. Fiduciary asset management is only possible through an intermediary party if the intermediary party does so through the Inlock White-Label Solution, where it has previously certified that it has the necessary authorisations to deposit virtual assets in its service territory.
In case any of our clients receive an enquiry where the initiating party is providing group fundraising or asset raising services on behalf of Inlock, please contact our colleagues via [email protected]
The key to customer security
Inlock provides a wide range of tools to help our clients to take care of the security of their accounts themselves:
Mandatory two-factor authentication for withdrawals, recording of withdrawal addresses, and for logging in. Automatic temporary account suspension in case of suspicious customer activity. In the event of a security incident, users can disable their accounts directly from the notification email.
Account security events (password change, 2fa switch on and off) will suspend all withdrawals for 24 hours.
Once a new withdrawal address has been set, it is not possible to initiate an allocation for 24 hours.
For mobile applications, it is convenient to use pin codes or biometric identification.
In addition, a variety of other protection features are currently being developed.
Inlock has been operating since March 2018 and since then we have not had a single security incident where either customer data or customer assets have been compromised.
Regulation
From a regulatory perspective, it is important to separate the ILK token and the Inlock platform as these two services are subject to different legal regimes.
ILK token
The ILK token was issued by an Estonia-based entity that we created for this purpose in 2018, in line with the then newly developed Estonian legal framework that allowed for the issuance of virtual tokens to legal entities. From the very beginning, the ILK token was positioned exclusively as a utility token, which was later (2 September 2019) verified by an independent audit. The audit was conducted by KGP Legal LLC of Singapore. The audit examined the token under the requirements of the Securies and Futures Act (Cap. 289) of Singapore, issued by the Monetary Authority of Singapore (MAS). The audit report concludes that the ILK token is not a security, derivative product or collective investment scheme unit (unit certificate) and that trading in the token does not fall within the category of securities trading. The supplement to the audit also examined compliance with the “Guide to Digital Token Offerings” Directive, which was recently published on the 5th of April 2019, and which the ILK token also fully complies with.
Although the Singapore regulation issued by the MAS is the most complex and stringent regulation currently known, we also take the the guidelines of the various jurisdictions into account, so residents of the following countries are not allowed to use the ILK token on the Inlock platform or enjoy the benefits associated with the ILK token: United States of America (USA), Japan, China, Malaysia.
INLOCK platform
An important principle in the design of the platform was to ensure that it is the least exposed to the constantly changing and even conflicting regulations in neighbouring countries. The Inlock platform provides financial services linked exclusively to crypto assets (virtual currencies), with no connection to the traditional fiat money-based financial world, and, in the case of crypto-assets, any new asset may be added to the platform after a thorough preliminary examination, excluding, for example, privacy coins or tokens that have no utility character whatsoever, created solely to offer the promise of a tempting investment to customers.
For most jurisdictions around the world, there is no general regulation under which Inlock’s service can be interpreted, so we have essentially created a self-regulatory operation where we apply best legal practices from different countries to Inlock. We consider the European Union as the platform’s own jurisdiction. In the first quarter of 2020, we brought the platform into full compliance with the requirements of EU AML Directive 5, with a related registration requirement with the local office of the EU Financial Intelligence Unit, and have since then continued to work with the authority, supporting its work to combat money laundering and terrorist financing. As the regulation requires the use of an audited communication device for remote identification, we were one of the first to carry out a full audit of the Inlock platform in August 2020, which included a full security and operational security review of the platform in addition to user identification.
We are constantly monitoring the development of EU supervisory requirements and we are involved in the MiCA (Markets in Crypto Assets) working groups from the very beginning. Since October 2020, the Inlock platform has been compliant with the EU Guideline 2019/1937, which is currently in preparation and which defines the Inlock platform as a Crypto-asset Service Provider. Until the final release of the MiCA, the Inlock platform will ensure full compliance as a self-regulatory service provider. In the EU, the platform is operated by Variance Hodling Ltd.
Other jurisdictions: the Inlock team is currently focusing on full legal compliance in the EU. For other jurisdictions, new legal entities will be created in the different target countries from 2022.
Restricted countries: in line with existing regulations, INLOCK services are not available to residents of certain countries. Afganistan, Belarus, Bosnia and Herzegovina, Burundi, Central Africa Republic, Congo, Egypt, Guinea, Guinea-Bissau, Haiti, Iran, Libya, Lebanon, Mali, Myanmar, Nicaragua, North Korea, Somalia, Sudan, South Sudan, Syria, Tunisia, Yemen, Iraq, Laos, Uganda, Ethiopia, Vanuatu, Sri Lanka, Trinidad and Tobago, Pakistan, Algeria, Bahamas, Barbados, Cameroon, Ghana, Jamaica, Mauritius, Panama, Niger, Nigera, Niger. INLOCK is also not available in certain states of the United States of America (New York, Texas, Alabama, New Jersey).