This is the first in a series of articles looking at crypto-assets (encompassing exchange tokens, security tokens, and utility tokens) through the lens of prevailing regulatory expectations of governance and risk management in the UK. In the absence of a specific regime for crypto assets, the legal and regulatory environment remains uncertain. Some crypto assets fall within the current regulatory regime; others do not. UK policymakers are in the process of clarifying the current perimeter and may expand it in the future.
Board and senior management considerations
The article starts with some issues that boards and senior management of banks, investment firms and exchange platforms should consider, particularly when setting strategy and shaping risk management structures.
Some of the vital questions which financial regulators ask about boards are:
- whether the skill-set of the board, at an individual member level and as a composite, is appropriate to the organisation it governs;
- whether the board receives and effectively uses appropriate management information to inform its governance and oversight of the organisation; and
- whether there is balance and sufficient challenge – boards should not be dominated by one influential member, nor should they exhibit “group think”.
Set out below are some of the issues in relation to crypto assets which UK regulated firms should consider when seeking to meet expectations.
Given the relatively small volume of crypto asset activity (in comparison with other products and markets), banks may have dealt with risks associated with crypto assets as they have arisen. Recent statements from, for example, the Basel Committee on Banking Supervision, indicate it is time to develop a more structured and comprehensive approach:
“Given the risk associated with such exposures and services, banks are expected to implement risk management processes that are consistent with the high degree of risk of crypto assets. Its relevant senior management functions are expected to be involved in overseeing the risk assessment framework. Board and senior management should be provided with timely and relevant information related to the bank’s crypto asset risk profile.”
Distributed ledger technology (DLT) provides the underpinning for crypto-assets. While it is possible to provide simplified explanations of DLT and crypto-assets, the underlying technology is complex. Specialist knowledge is required to understand it. For example, permissioned networks (where the network remains governed by a central authority and the only participants are those granted permission to do so) may present different risks to banks to non-permissioned networks. But beyond that, it will be necessary to have reliable expertise to evaluate the specific DLT being deployed together with the coding used to create the particular crypto-assets in question. Boards need to have a clear understanding of the risks to exercise effective oversight and also to communicate with regulators.
Given the relatively new nature of the technology and the asset type(s), boards face a significant challenge to upskill to a level where they are confident to take decisions about crypto assets. Banks need to consider the full spectrum of risks posed by crypto assets: liquidity risk; credit risk; market risk; operational risk (including technology, fraud and cyber risks); money laundering and terrorist financing risk; how regulation applies; and legal and reputation risks.
One approach is to establish an executive working group which brings together expertise from across the various stakeholders in the bank in relation to crypto assets, plus individuals with expertise (internal or external) in the technology underlying the assets. This should enable the board to:
- understand how due diligence processes should be executed for crypto-asset businesses, activities and investments;
- understand what sort of management information and other reporting is required to appropriately inform the board and its committees about exposure to, and risk arising from, crypto-asset activities;
- learn how to accurately monitor direct and indirect exposure to crypto assets across the bank; and
- be aware of (potentially) applicable regulatory regimes for crypto-assets in relevant jurisdictions.
Banks should scope their exposure to crypto assets. Internal capital adequacy assessment process (ICAAP) and internal liquidity adequacy assessment process (ILAAP) need to be updated accordingly. Where banks assess that they have no direct exposure, they still need to consider any indirect exposure — for example, through retail customers funding crypto asset trading accounts using debit cards or employees subscribing to initial coin offerings (ICOs), etc.,
This is no different, in a sense, to the exposure which a bank will have to, for example, vanilla securities, which raises the question of why a bank should be interested in indirect exposures for reasons other than prevention of money laundering and terrorist-financing.
With retail customers, the main risk for banks is likely to be reputational. Recently, some mobile banking apps have introduced functions which allow account holders to “turn off” payments to certain kinds of outlets – media coverage has particularly focused on the use of such functionality to help those suffering from gambling addiction, but a “crypto addict” could also use the function.
Some banks have stipulated that credit and debit cards may not be used for crypto-asset purchases. This may be for consumer protection reasons. It may also be for risk management: crypto-assets are often used in criminal activities, and law enforcers following the path of illegitimate transactions will question the facilitation role of whoever comes into that path.
Banks may also consider restricting employees from crypto-asset activities. The opportunities and methods of market abuse which exist in the traditional markets also exist in the crypto-sphere. It is a reasonable question whether an employee who engages in practices in relation to crypto-assets which would be abusive trading practices in the regulated markets is demonstrating the level of ethical behaviour which the bank (and regulators) expect.
As with banks, investment firms are likely to have a longstanding awareness of the roles and responsibilities of boards. Investment firm boards need to make sure that, if a decision is made to expand into crypto-asset business, that the regulatory implications of such a move are addressed.
Before embarking on any client offering, investment firms which provide regulated services (e.g. discretionary management, advisory, trading or custody) for traditional asset classes need to consider what skillset is needed to undertake similar services for crypto-assets. This will be similar to that described above for banks.
In the absence of direct regulation of the technologies underlying the assets, investment firms will need to be satisfied that the coding by which the assets have been created works properly, likewise with the DLT network on which the asset is being transferred. Firms will need to be satisfied that the crypto-assets are transferable, can be settled and can be safeguarded.
While exchanges are a mainstay of traditional financial services markets, crypto-exchanges are relatively new. Use of the term “exchange” in reference to crypto asset trading platforms has itself been identified as an issue by the World Federation of Exchanges (WFE) in its response to the UK FCA’s consultation on crypto-asset guidance. WFE highlighted that using the term “exchange” may “give investors a false sense of security, leading them to believe such platforms meet the regulatory standards of traditional exchanges that are regulated and offer transparent public markets.”
For exchange platforms that are unregulated, boards:
- will need to make sure that assets being traded fall outside the regulatory perimeter; and
- may wish to consider adopting as a matter of good practice aspects of exchange regulation to address key risks, such as price transparency, money laundering and market abuse.
For exchange platforms that are regulated and trade crypto assets, boards will need to take steps to ensure that systems and processes enable ongoing compliance with requirements of the regulatory regime. This may range from a review of the adequacy of listing criteria, to order execution and transaction reporting.
Boards should note that the line separating assets within and outside the regulatory perimeter may move: FCA guidance following CP19/03 is expected to be published this summer; and there remains the possibility of HM Treasury changes to the definitions of specified activities and specified investments under the Financial Services and Markets Act 2000 Regulated Activities Order 2001.
First published on Thomson Reuters Regulatory Intelligence on 10 May 2019.