An engineering dive into crypto regulations

8 min readSep 19, 2022


By Femi Babatunde, Co-founder Savecoins Technologies

Table of Contents

1) Introduction
2) Governing Data

3) Liquidity Flow

4) Storing Liquidity

5) How Financial Portfolios are calculated

6) KYC

7) Cybersecurity

8) CI/CD Pipeline

For a start, I believe I dislike the name “web3” I think it depicts the terminal financialization of the internet.

This could depend on how people learn the technology and -maybe have a simple understanding of what powers the technology they are leveraging (for consumption, or new devs entering into the space) actually work. maybe I’m just hating on the name.

For the context of this article I’ll be going with a pov of web 2.5 & 3 (next article) for devs developing financial products in this space and how regulations are meant to affect different engineering processes (-backend, liquidity flow, smart contracts, financial derivatives), and how financial products are regulated in TradfFi . Also, -opinions on how it should be regulated now. This is because regulators fail to see the use of technology you’re leveraging on and only see the operations of most crypto firms just like traditional banks, and exchange systems alike.

Also what code actually means in free speech (This relates to the tornado cash incidence if you don’t know about it) and what code actually means in law? This is (1/2) articles explaining this dive.

Web 2.5 (Fintechs leveraging blockchain)

If you’ve built or started building financial products off-chain this basically an easier way to understand what this articles means in relation to this pov.

Governing Data

One of the most strictly regulated areas of the global financial business is data protection and privacy.

The World Bank’s database of laws pertaining to fintech in more than 200 nations reflects this fact.

Data ; World Bank

Majority of the countries on the list (167 in total) have data protection legislation. Therefore, it is something that your crypto financial product must likely follow.

The General Data Protection Regulation (GDPR) in the EU is one of the most well-known data protection laws. It is known for having some of the strongest data privacy regulations in the entire globe.

The GDPR regulates how businesses gather, use, and store the personal data of EU citizens. The maximum sanctions for infringers are €20 million or 4% of the company’s sales, whichever is higher.

Additionally, GDPR doesn’t just apply to companies in the EU. No matter where you are in the globe, GDPR applies as long as you have European users.

The Consumer Data Right (CDR) in Australia and the California Consumer Privacy Act (CCPA) in the US are two other laws that merit further investigation.

Due to the lack of a single statute that covers all aspects, American fintech regulation in particular can be quite perplexing.

But adhering to data standards isn’t simply necessary for conducting business legally in a nation. It’s essential for a financial app to succeed.

Compliance requires that the business takes all reasonable precautions to protect that data from attacks and breaches. This is great for gaining users’ trust and retaining their interest in your software for a longer period of time.

What steps do you take to adhere to privacy and data protection laws?

The ideal approach is to have a data governance framework — a group of policies and procedures for handling data — in place.

The ARMA framework and the EDG framework from PwC are two


Since a lot of Crypto-tech companies leveraging the Blockchain share similar architecture with TradFi Fintech firms, it’s important to go with similar data regulations for crypto Technology companies leveraging the blockchain to provide crypto-native financial products.

“For core web 3 tech companies who build on the blockchain, the regulatory process will obviously be different because some part of the regulatory processes is what the technology aims to solve.

Liquidity Flow (-includes reliability of integrations for electronic money flow & data shared)

This is one of the most fascinating things for me in Financial technology; the pipelines for money flow.

In TradFi, pipelines of money flow are often affected by off-chain settlements (fiat settlements) between financial institutions

The Consumer Financial Protection Bureau (CFPB),in the US which oversees electronic money transfers using debit cards, ATMs, and POS terminals, is in charge of enforcing the Electronic Fund Transfer Act (EFTA). The regulation for Instant transfers as it is in Nigeria is regulated by the Central bank of Nigeria.

“Its objective is to safeguard users in the event of a mistake, such as when money is mistakenly moved to another account.”

‘’You must inform users of certain details about their fund transfer transactions in order to be in compliance with EFTA.’’

The main parts of it are a list of liabilities for unauthorised transactions and what happens when an error occurs.

Open banking has brought more ease in financial engineering for fintech products including payments and data shared between financial institutions but should the reliability of these APIs and development phases in transfer of money be regulated? (More will be discussed on this at the end of this article)

Storing Liquidity

For fintech products to receive fiat liquidity, they have integrations with banks(sub-accounts) that are licensed to collect cash deposits, so you are able to send cash into these banks and you get the value in your frontend to use this particular’s fintech’s product.

The regulations concerning storing liquidity for crypto companies are similar to TradFi fintechs firms “ on processes their fiat and crypto deposits are stored and also if insured. Since crypto is programmable money the regulations aren’t entirely similar to fiat regulations.

Crypto deposits can be hard to insure and regulated because of the architecture of ‘saving these funds (hardware wallet or software wallets), because of this, the US SEC told crypto firms operating in the US to treat customer crypto deposits as unsecured debts in their balance sheet. What does this mean? The US SEC understands that these deposits are not insured and they can easily be affected by loss and hacks, without proper tech regulations for crypto firms this is the easiest way to deal with crypto deposits and also inform the users about the unsurety of their funds.

It’s not entirely reasonable to label crypto-assets as Securities not only because their intrinsic value can easily be transferred on blockchains but the fact that the use of these assets aren’t only for speculations. Due to the intrinsic nature (volatility) of crypto-assets, it is hard to label them all as currencies, -so security and monetary laws shouldn’t fully apply to them, it’s more optimal to treat them as commodities.

How can storing crypto liquidity be regulated?

Different crypto-native technology companies have different architectures that are used to offer financial products to their respective tiers of customers. The optimal way to regulate crypto deposits could be through external audits of customer deposits to ensure it aligns with the liquidity position of these crypto companies so as to meet customer withdrawal demands to avoid a bank run. A crypto-native regulatory body can monitor the activities of these crypto companies to ensure that they are complaint with reporting how customers deposits are stored so as to allow for better future audits.

How financial portfolios are calculated

A particular importance of crypto-assets are the beautiful practicality it affords for financial engineering in investment products. So the code for the math behind various portfolios for different crypto products and DeFi primitives should be regulated, -for derivatives, index funds and stable coins designs should have their codes audited by crypto native regulatory bodies to ensure they are compliant with the value showed in the frontend for the customers. Savecoins will open source the math that powers the code for some of our products and processes.


A crucial regulatory need for any financial institution is Know Your Customer (KYC).

Almost all banks and providers of financial services, such as insurers and lenders, are required to comply with it — and so are you.

KYC’s objective is to confirm the user’s identity and risk profile. This guarantees that they are legitimate firms and not fraudulent ones. The major purposes of KYC are to thwart fraud and money-laundering operations.

This is how a typical flow looks.

Fraudsters are becoming more skilled at getting over KYC procedures, which is another problem. For instance, they can submit KYC requirements with phony IDs or films, or even pose for them using wax figures.

Like anything else, these obstacles can be eased through technology. Technologies like Liveness Detection Technologies can determine whether a person seen in a live video is real or not.

To simplify your KYC, though, often all it takes is a change in strategy. The financial app Savecoins is an excellent illustration.

Although we understood the necessity of KYC, but also understood that it can be a time-consuming process that discouraged users.

We decided to include it later in the process as a remedy. By doing this, We provided users a chance to discover and build trust in the app, which increased their willingness to finish the KYC procedure.


There is a greater need than ever for cybersecurity precautions due to the all-time high in cyberattacks (up to 50% higher in 2021 than in 2020, according to CheckPoint Research).

So it’s shocking that only 55% of big businesses are giving it the priority it needs.

This was the conclusion of a survey by Accenture, which also discovered that only a small proportion of these businesses qualify as “Cyber Champions,” or those who have superior cybersecurity safeguards in place:

Since crypto startups aren’t as highly regulated as larger financial institutions, the situation in the sector is similar. Make sure you’re not one of the numerous lax crypto tech companies that are affected by the lack of more stringent cybersecurity rules.

This information makes hackers more motivated to target fintech apps. Financial platforms are frequently targeted by hackers, as evidenced by the Finastra ransomware outbreak and the data leak at US fintech app Dave.

The Dave incident is remarkable because a third-party provider’s breach, not the Dave app itself, was to blame.

It draws attention to a crucial point: your app’s ecosystem should be completely secure.

You must protect everything, including your network endpoints and servers.

CI/CD Pipelines

Understanding CI/CD Pipelines

Continuous Integration and Continuous Delivery is referred to as CI/CD (or deployment). Developers who use continuous integration typically merge their code into the main branch. Every application modification must first pass a number of automated tests before it can be included in the build. This aids in avoiding integration hell and aids in the early detection of software issues.

More significantly, continuous integration enables continuous delivery. Software lifecycles can be accelerated using a set of procedures called CD. In other words, CD enables more frequent product releases. The build is pushed to the delivery environments. Additionally, CD is a largely automated procedure with defined risks, just like CI. Continuous deployment, however, is not always synonymous with continuous delivery. Giving users access to the release is still done manually

A lot of developers are familiar with CI/CD pipelines, but do you think they should be enforced in development of financial products?

I will write more on this in the next Engineering dive on DeFi regulations.