A thread from our CSO, @adam_t_h, on withdrawal security:

We process a lot—seriously, a lot—of deposits and withdrawals every day. As we’ve scaled, we’ve developed a number of security controls to protect your hard-earned satoshis (and other assets too) from bad actors.
These controls have evolved, and will continue to evolve, as BlockFi continues to grow and the threat landscape changes. Finding a balance between safety and user experience is tricky, but something we as a company are committed too. So let’s talk about the details.
We're subject to certain AML and KYC requirements. Meaning, we need to know who our customers are. This is done using verification of government-issued identification and personally identifiable information (PII). Pretty standard for a regulated financial services firm.
We VERY much encourage all of our clients to enable two-factor authentication (2FA) and withdrawal address allowlisting. This combination removes a significant amount of risk, but even when used together, is not a “silver bullet”.
Behind the scenes we run analytics based on a number of factors to determine the risk of any client transaction, especially withdrawals. Occasionally, a withdrawal may trigger a PII verification—even with 2FA and allowlisting enabled.
PII verification has less to do with AML and KYC and more to do with us wanting to be sure you are in fact you and the withdrawal is valid. This PII verification decision is fed by numerous variables, which can include amount, velocity of transactions, and geographic location.
Unfortunately, if we disclose too many details, it could be used against us by nefarious individuals to circumvent the security framework built into the system.
We have heard the feedback from our clients and know the increased PII verification is a process that needs improvement. We get it: being subject to KYC-like workflows is inconvenient and kind of a hassle.
We are looking at ways to refine our rule set without introducing unacceptable risks to client accounts and withdrawals. This will include not only refining current rules but implementing better risk analytics and risk management automation.
As those latter two items make their way through testing and near implementation, we will be sure to communicate those details. As always, if you have any questions about the security at BlockFi, you can find a friendly answer by emailing security@blockfi.com.
You can follow @BlockFi.
Tip: mention @twtextapp on a Twitter thread with the keyword “unroll” to get a link to it.

Latest Threads Unrolled: