Oct 11, 2024
Diana Tlupova: The Next Evolution of KYC Ensures Compliance While Preserving Privacy
Diana Tlupova: The Next Evolution of KYC Ensures Compliance While Preserving Privacy
Diana Tlupova: The Next Evolution of KYC Ensures Compliance While Preserving Privacy
After spending years working at the UK’s Financial Conduct Authority and advising the UK Parliament on economic affairs, Diana Tlupova got immersed in the crypto world. Since 2019, she has been guiding several centralized crypto exchanges on how to build effective compliance programs in a constantly evolving crypto regulatory landscape. Now Head of Compliance at ComPilot (ex NexeraID), Diana joins ETHSofia to contribute to the challenging conversation around crypto regulations.
The concept of compliance has been absolutely incompatible with the crypto space’s ethos for so long. The industry is now finally realizing that there’s no other way forward. How do you perceive that contradiction?
I would actually disagree that there is a contradiction here. It was always a known fact that sooner or later the crypto industry will be regulated one way or another. Simply, some forward-thinking companies realized that fact soon enough and started building their compliance programs early on. These companies have been well prepared when the regulations hit them. On the other hand, those that did not accept that fact and did not put their “house in order” in time are now suffering the consequences, and either have been fined or had to close operations in specific jurisdictions.
How can we remedy the conflict between KYC and compliance practices and the personal need for privacy and identity protection the cypherpunk movement is championing?
Balancing KYC compliance with privacy concerns is a complex issue, but it can be effectively managed by leveraging advanced cryptographic solutions. Traditional KYC processes often involve collecting excessive amounts of personal data, which introduces risks related to data breaches and privacy erosion. As an expert in compliance and digital asset infrastructure, I believe the key to resolving this lies in shifting from data collection to data verification.
At ComPilot, we implement privacy-preserving technologies like zero-knowledge proofs and decentralized identity frameworks. These allow for the verification of critical compliance-related information—such as identity or residency—without revealing the actual data behind it. This ensures that businesses remain fully compliant with regulatory requirements, while individuals retain control over their personal information. Moreover, we focus on decentralized data storage, which reduces the risks associated with centralization, such as breaches or misuse.
ComPilot’s approach is not just about fulfilling today’s regulatory standards—it’s about future-proofing compliance in a way that respects privacy and aligns with the broader push for personal data sovereignty. This is the next evolution of KYC: a model that ensures compliance while also addressing the very real concerns around privacy and digital identity protection.
Do you think that the progress in the space of Decentralized Identifiers (DIDs) and virtual credentials will facilitate your work? Or, is it all dependent on the speed of regulators catching up and legalizing such novel instruments?
The progress in the development and adoption of the DIDs and virtual credentials has been slow. There are several obstacles for that:
Lack of Education and Awareness around this relatively new concept;
Technical Complexity, as implementation of DIDs requires a certain level of technical expertise and infrastructure which is not always available;
Interoperability Issues - the lack of standardized protocols creates fragmentation, making integration challenging across various platforms;
Regulatory Ambiguity means businesses are hesitant to adopt DIDs without clear guidance or legal frameworks;
Security concerns, where users might be concerned about the security of decentralized systems around private key management and potential vulnerabilities.
Therefore, it is not just regulatory obstacles that hamper the wider adoption of DIDs and virtual credentials. Until all obstacles listed above are addressed, progress towards mass adoption will continue to stagnate.
The myth that crypto is primarily being used for tax evasion, crime funding, and money laundering still exists, especially in Bulgaria. Yet, traditional banking institutions have been involved in much more scandalous affairs in that regard. How would you comment?
Yes indeed, there are a lot of myths around crypto being associated with money laundering, fraud and other types of financial crime. Here in Bulgaria, we’ve seen some of the biggest crypto fraud cases, like that of Crypto Queen Ruja Iganotva. Those cases always get very high publicity, creating a negative view of the industry as a whole.
However, when one looks at statistics, there is much more money still being laundered via traditional financial institutions, particularly banks. For example, Nasdaq Verafin Global Financial Crime Report highlighted that an astonishing $3.1 trillion in illicit funds were funneled through the global financial system in 2023. At the same time, Chainalysis estimates that around $2.4 billion were received by illicit cryptocurrency addresses. This accounts for just 0.34% of the total cryptocurrency volume used for money laundering; and a mere 0.08% of global money laundering activities passing through blockchain. Therefore, while crypto contributes to illicit activity - it is not at the forefront of total financial crime rates.
Guaranteeing that a crypto business remains compliant must be an enormous challenge, given the often unclear and purposefully murky expectations of regulators. Do you think that MiCA is a step in the right direction?
I have been in the crypto compliance space since 2019. I can certainly confirm that it was a massive challenge for any reputable crypto business to stay abreast of all the fragmented and ever changing requirements from various regulators across the globe, even more so, for crypto businesses operating cross-border. MiCA is definitely a step in the right direction, providing greater regulatory clarity and consumer protection. However, it still does not address all the regulatory gaps, so lots of questions still remain unanswered. Furthermore, a lot depends on how each EU member state transposed MiCA into their local laws, so the regulatory fragmentation might still be an issue for the industry.
Do you consider regulators’ sentiment towards the crypto industry generally improving? Can we consider MiCA as a sign of acceptance or just a method of control?
In my opinion, the regulators’ view of the crypto industry has definitely evolved in the right direction. Regulators’ main objectives are to ensure market stability and consumer protection. Initially, crypto was viewed as a threat to both of those objectives and as an instrument for fraud and money-laundering. Some countries banned cryptocurrencies outright, others either took a more cautious approach or tried to fit crypto into the existing regulatory frameworks.
Nowadays regulators are taking a more progressive regulatory stance towards crypto, opening up various sandbox regimes for crypto companies to test their products in a safe regulatory environment.
What inspired you to join the inaugural ETHSofia Conference? Which aspects of the event are you most looking forward to?
I have lived in Sofia for the last eight years and this is the first-ever event of such a grand scale for the crypto community here. The moment I heard about ETHSofia, I contacted the organizers for the opportunity to participate and am very grateful to have been accepted. I am mostly looking forward to our regulatory panel on the 19th October, side events, such as Women in Web3 and Reg3 Conference. Overall, it is an amazing opportunity to meet all the people working in the crypto sphere in Bulgaria and beyond.
After spending years working at the UK’s Financial Conduct Authority and advising the UK Parliament on economic affairs, Diana Tlupova got immersed in the crypto world. Since 2019, she has been guiding several centralized crypto exchanges on how to build effective compliance programs in a constantly evolving crypto regulatory landscape. Now Head of Compliance at ComPilot (ex NexeraID), Diana joins ETHSofia to contribute to the challenging conversation around crypto regulations.
The concept of compliance has been absolutely incompatible with the crypto space’s ethos for so long. The industry is now finally realizing that there’s no other way forward. How do you perceive that contradiction?
I would actually disagree that there is a contradiction here. It was always a known fact that sooner or later the crypto industry will be regulated one way or another. Simply, some forward-thinking companies realized that fact soon enough and started building their compliance programs early on. These companies have been well prepared when the regulations hit them. On the other hand, those that did not accept that fact and did not put their “house in order” in time are now suffering the consequences, and either have been fined or had to close operations in specific jurisdictions.
How can we remedy the conflict between KYC and compliance practices and the personal need for privacy and identity protection the cypherpunk movement is championing?
Balancing KYC compliance with privacy concerns is a complex issue, but it can be effectively managed by leveraging advanced cryptographic solutions. Traditional KYC processes often involve collecting excessive amounts of personal data, which introduces risks related to data breaches and privacy erosion. As an expert in compliance and digital asset infrastructure, I believe the key to resolving this lies in shifting from data collection to data verification.
At ComPilot, we implement privacy-preserving technologies like zero-knowledge proofs and decentralized identity frameworks. These allow for the verification of critical compliance-related information—such as identity or residency—without revealing the actual data behind it. This ensures that businesses remain fully compliant with regulatory requirements, while individuals retain control over their personal information. Moreover, we focus on decentralized data storage, which reduces the risks associated with centralization, such as breaches or misuse.
ComPilot’s approach is not just about fulfilling today’s regulatory standards—it’s about future-proofing compliance in a way that respects privacy and aligns with the broader push for personal data sovereignty. This is the next evolution of KYC: a model that ensures compliance while also addressing the very real concerns around privacy and digital identity protection.
Do you think that the progress in the space of Decentralized Identifiers (DIDs) and virtual credentials will facilitate your work? Or, is it all dependent on the speed of regulators catching up and legalizing such novel instruments?
The progress in the development and adoption of the DIDs and virtual credentials has been slow. There are several obstacles for that:
Lack of Education and Awareness around this relatively new concept;
Technical Complexity, as implementation of DIDs requires a certain level of technical expertise and infrastructure which is not always available;
Interoperability Issues - the lack of standardized protocols creates fragmentation, making integration challenging across various platforms;
Regulatory Ambiguity means businesses are hesitant to adopt DIDs without clear guidance or legal frameworks;
Security concerns, where users might be concerned about the security of decentralized systems around private key management and potential vulnerabilities.
Therefore, it is not just regulatory obstacles that hamper the wider adoption of DIDs and virtual credentials. Until all obstacles listed above are addressed, progress towards mass adoption will continue to stagnate.
The myth that crypto is primarily being used for tax evasion, crime funding, and money laundering still exists, especially in Bulgaria. Yet, traditional banking institutions have been involved in much more scandalous affairs in that regard. How would you comment?
Yes indeed, there are a lot of myths around crypto being associated with money laundering, fraud and other types of financial crime. Here in Bulgaria, we’ve seen some of the biggest crypto fraud cases, like that of Crypto Queen Ruja Iganotva. Those cases always get very high publicity, creating a negative view of the industry as a whole.
However, when one looks at statistics, there is much more money still being laundered via traditional financial institutions, particularly banks. For example, Nasdaq Verafin Global Financial Crime Report highlighted that an astonishing $3.1 trillion in illicit funds were funneled through the global financial system in 2023. At the same time, Chainalysis estimates that around $2.4 billion were received by illicit cryptocurrency addresses. This accounts for just 0.34% of the total cryptocurrency volume used for money laundering; and a mere 0.08% of global money laundering activities passing through blockchain. Therefore, while crypto contributes to illicit activity - it is not at the forefront of total financial crime rates.
Guaranteeing that a crypto business remains compliant must be an enormous challenge, given the often unclear and purposefully murky expectations of regulators. Do you think that MiCA is a step in the right direction?
I have been in the crypto compliance space since 2019. I can certainly confirm that it was a massive challenge for any reputable crypto business to stay abreast of all the fragmented and ever changing requirements from various regulators across the globe, even more so, for crypto businesses operating cross-border. MiCA is definitely a step in the right direction, providing greater regulatory clarity and consumer protection. However, it still does not address all the regulatory gaps, so lots of questions still remain unanswered. Furthermore, a lot depends on how each EU member state transposed MiCA into their local laws, so the regulatory fragmentation might still be an issue for the industry.
Do you consider regulators’ sentiment towards the crypto industry generally improving? Can we consider MiCA as a sign of acceptance or just a method of control?
In my opinion, the regulators’ view of the crypto industry has definitely evolved in the right direction. Regulators’ main objectives are to ensure market stability and consumer protection. Initially, crypto was viewed as a threat to both of those objectives and as an instrument for fraud and money-laundering. Some countries banned cryptocurrencies outright, others either took a more cautious approach or tried to fit crypto into the existing regulatory frameworks.
Nowadays regulators are taking a more progressive regulatory stance towards crypto, opening up various sandbox regimes for crypto companies to test their products in a safe regulatory environment.
What inspired you to join the inaugural ETHSofia Conference? Which aspects of the event are you most looking forward to?
I have lived in Sofia for the last eight years and this is the first-ever event of such a grand scale for the crypto community here. The moment I heard about ETHSofia, I contacted the organizers for the opportunity to participate and am very grateful to have been accepted. I am mostly looking forward to our regulatory panel on the 19th October, side events, such as Women in Web3 and Reg3 Conference. Overall, it is an amazing opportunity to meet all the people working in the crypto sphere in Bulgaria and beyond.
Our series of interviews with the fascinating ETHSofia speakers has so far offered valuable perspectives on the crypto journeys of Daedalus Angels’ Valentin Mihov, Lido’s Will Shannon, Zerion’s Evgeny Yurtaev and Grayson Ho, Village DAO's Stilyan Mitrev, Serotonin's Vanina Ivanova, KILT's Ingo Rübe, and Krum Pashov.
Grab your ETHSofia ticket before it’s too late! Follow ETHSofia on X and LinkedIn, join our official Telegram group, and subscribe to our newsletter to get the latest news!