Cryptocurrency exchanges are a vital part of the cryptocurrency ecosystem. While centralized finance (CeFi) exchanges offer several advantages over their decentralized counterparts, they also come with a higher risk profile largely due to the centralized nature if it. Performing due diligence on centralized cryptocurrency exchanges is important because of the inherent risks associated with the use of virtual assets.

Cefi exchanges hold large amounts of cryptocurrencies on behalf of their clients, making them a prime target for hackers and other malicious actors. Additionally, the volatile nature of virtual assets and the lack of regulation mean that there is a higher risk of market manipulation and price volatility.

Exchanges become a part of your custody strategy for businesses. Even if only a small amount is kept on-chain for trading, it represents a custody option with increased risk for users and demands careful evaluation.

This article will delve into the three key factors to consider when selecting a CeFi exchange to use.


Due to the large amount of client funds on their CeFi exchange servers, we have seen major hacks such as the Bitfinex hack worth $8 billion. To minimize the risk of a hack, it is important to choose an exchange with a strong security record and to store any funds, not actively traded, in a secure offline wallet (cold wallet). Gemini markets themselves as one of the safest CeFi exchanges available to users. Some of Gemini’s safety checks are third party security assessments, including their SOC2 Type 2, ISO 27001, reports and annual penetration testing.

We usually recommend that our clients confirm that the exchange have completed security audits such as ISO 27001 and has a SOC report. A full evaluation is recommended of the exchange’s security measures, such as encryption, authentication, and data protection protocols, as well as its history of security breaches and hacks.

Your account’s safety procedures can be reviewed by ensuring that they enable 2FA for login and transfers and multi-level functionality for approval on withdrawals.

Consider what your coverage is when a hack or security breach does occur, by reviewing the exchange’s insurance policy. For instance:

  • Binance international self-insures through the Secure Asset Fund for Users (SAFU). Ten percent (10%) of all trading fees are allocated to this fund to pay out to users in the case of a hack. These funds are stored in a separate cold wallet.
  • Binance US – USD balances are insured up to $250,000 by the Federal Deposit Insurance Corporation (FDIC) and held in custodial bank accounts.
  • Coinbase U.S. customers: Coinbase holds fiat funds in custodial accounts at U.S. banks (insured by the FDIC for pass-through up to the per-depositor coverage limit of $250,000 per individual) and/or invests those funds in liquid U.S. Treasuries or USD denominated money market funds in accordance with state money transmitter laws.
  • Coinbase non-U.S. customers: fiat is held as cash in dedicated custodial accounts. All custodial pooled amounts are held separate from Coinbase funds, and Coinbase will neither use these funds for its operating expenses or any other corporate purposes.


Counterparty risk is the risk that the exchange will default on its obligations to its clients. We have seen this lately with the Chapter 11 liquidations of Celsius, Three Arrows Capital and FTX.

To minimize counterparty risk, it is important to choose an exchange that is transparent and has a good reputation. Now, I hear you, that’s easier said than done. A lot of users promoted FTX as a reputable exchange. Due diligence procedures should be updated to analyze the reputation ourselves and include additional checks.

Another consideration is if the exchange is regulated and the regulatory environment. Regulated exchanges have to abide by enhanced requirements, that give the users some comfort on their policies and procedures. Gemini Trust Company, LLC is a New York Trust Company regulated by the New York State Department of Financial Services (NYDFS). This means that Gemini is subject to anti-money laundering, capital reserve, consumer protection, and cybersecurity requirements, as well as banking compliance standards set forth by the NYDFS and New York Banking Law.

Some jurisdictions have more stringent regulations regarding the use of virtual assets, which can provide a safer and more secure environment for traders and investors.

A google search and full AML analysis on the CeFi exchange for any negative press, sanctions and PEP connections is recommended.


Financial stability is sometimes difficult to consider due to the centralized nature of the exchanges and the fact that they are private companies that don’t have a legal requirement to publish their financial statements. As we have learned with FTX, its important to keep an eye on the media for financial disclosures, that could provide valuable information to drive more reliance on the exchange or sink the ship.


Operational risks refer to the risks associated with the day-to-day operations of a CeFi exchange. This can include risks such as incomplete operational procedures, software bugs, hardware failures, and human errors.

We recommend that clients analyze the board of directors and management of the exchange. If the exchange has a central point of control and a lack of independent oversight, that would be a red flag.

Consider which AML screening software is used by the exchange, in addition to what the requirements are for users to register an account and trade. All exchanges are not equal when it comes to AML procedures and have various levels of trading available for unverified users. We recommend aligning the risk appetite for your company or fund with the exchange’s risk level. Considering the jurisdiction’s AML requirements where your company is registered against the exchange’s requirements will give a good indication of alignment in risk profiles.

Binance for example, uses Chainalysis and Refinitiv for AML reviews over digital assets received.

Deposit, trading and withdrawal limits are usually dependent on the level of verification a user has successfully completed. Exchanges that require you to verify your identity, address and source of wealth provide more comfort than exchanges that just require a proof of identity.

The jurisdictions that the exchange services should exclude sanctioned countries as identified by the local laws where your company is registered.