The recent implosion of crypto firm FTX and its affiliates provides a case study for potential crypto exposure under traditional insurance policies in this series of four articles: Silent Crypto for D&O and Corporate Liability Insurance (Part I), Silent Crypto Exposure for Accountants (Part II), Silent Crypto Exposure for Lawyers (Part III), and Crime and Custody Coverage for Crypto Assets (Part IV).
Crime and Custody Coverage for Crypto Assets
Dollars are fungible with each other. And so it’s not like there’s this $1 bill over here that you can trace through from start to finish. What you get is more just omnibus, you know, pots of assets of various forms.
– Sam Bankman-Fried
The recent collapse of the once highly lauded FTX cryptocurrency exchange and its affiliated entities has resulted in the inexplicable disappearance of billions of dollars of investor funds and crypto assets that seemingly vanished into thin air overnight. These events shine a spotlight on the potential exposure related to the loss or theft of funds, cryptocurrencies or other digital assets held by crypto firms or third parties.
OCC Softens Stance on Banks’ Cryptocurrency Activities
In the past few years, the U.S. Office of the Comptroller of the Currency (OCC) has issued a series of interpretative letters and guidance regarding the agency’s loosening stance on banks engaged in cryptocurrency activities.
First, OCC confirmed that banks may provide cryptocurrency custody services to customers by holding the “unique cryptographic keys associated with cryptocurrency." OCC explained that cryptocurrencies are held in “wallets” that store the cryptographic keys associated with digital currency. These can be “hot” wallets connected to the internet or “cold” wallets, which are completely offline and considered more secure from hacking.
The digital currencies reside on a blockchain, also known as distributed-ledger technology (DLT). To authorize transactions involving cryptocurrencies or other digital assets, individuals must use their private cryptographic key. These private keys are sacred, and if they are lost or stolen, individuals lose all access to their digital assets. OCC observed that such custodial services are merely a modern-day expansion of banks’ traditional role of safekeeping and custody of assets.
Second, OCC has indicated that banks also may hold reserves to support “stablecoin” transactions. Stablecoin are digital coins backed by another asset such as a fiat currency (for example, the U.S. dollar) and, hence, considered less volatile than other cryptocurrencies. In particular, OCC noted that stablecoin issuers might want to place the cash reserves backing their stablecoin with a national bank. In that case, banks should have contractual agreements in place with the coin issuer to verify that the value of the deposit balances held in reserve by the bank are equal to or greater than the value of the stablecoins at any given time.
Third, OCC has authorized banks to participate in cryptocurrency transactions based on blockchain or DLT, including independent node verification networks (INVNs). By way of background, OCC observed that the “primary role of banks is to act as financial intermediaries” in the financial markets and payment systems. In this role, banks may “facilitate the exchange of payments and securities” and “settle transactions” for parties.
With advances in technology and the global financial markets, there is “increasing demand in the market for faster and more efficient payments through the use of decentralized technologies, such as INVNs, which validate and record financial transactions, including stablecoin transactions." As such, the OCC has concluded that a “bank may validate, store and record payments transactions by serving as a node [or participant] on an INVN."
However, in all financial transactions involving cryptocurrencies, OCC has emphasized that banks still are required to abide by Anti–Money Laundering (AML) and Bank Secrecy Act (BSA) compliance requirements, given the heightened risks posed by such transactions. In particular, “a bank should specifically address risks associated with cryptocurrency activities, including, but not limited to, operational risk (e.g., the risks related to new, evolving technologies; the risk of hacking, fraud and theft; and third-party risk management), liquidity risk, strategic risk, and compliance risk."
OCC’s softer stance on cryptocurrency activities by banks has opened the door for traditional financial institutions to participate in a limited capacity. In October 2022, the nation’s oldest bank, BNY Mellon, announced the launch of its Digital Asset Custody platform to hold and transfer Bitcoin and Ether (ETH) for select clients.
Don’t Count on FDIC Insurance for Crypto Assets
Notwithstanding the OCC’s blessing bestowed on banks engaged in cryptocurrency transactions, the Federal Deposit Insurance Corporation (FDIC) has made it abundantly clear that FDIC insurance does not apply to financial products such as “crypto assets” or other types of securities or commodities. Moreover, FDIC insurance “does not protect against the default, insolvency, or bankruptcy of any non-bank entity, including crypto custodians, exchanges, brokers, wallet providers, and neobanks."
In short, FDIC insurance only applies to (1) deposits held by insured banks and savings associations and (2) only in the unlikely event of an insured bank’s failure. In other words, FDIC insurance might cover USD held in reserve by an insured bank to back a stablecoin, but would not apply to the collapse of a crypto firm or exchange – such as FTX or its sister company Alameda Research – holding, buying, selling or trading cryptocurrencies for customers.
Vault & Wallet Insurance for Digital Assets
In growing recognition of the need for insurance as a risk management tool for cryptocurrency and digital asset custodial services, insurance companies are slowly wading into the market with new and innovative products. Not surprisingly, the London insurance market – with its history of insuring difficult to place risks and capacity, along with its ability to allocate, and hence reduce, exposure among line slip insurance market participants – was one of the first to jump into the fray.
For instance, in 2020, a consortium of Lloyd’s syndicates launched a liability policy to protect against losses arising from the theft of cryptocurrency held in “hot” (online) wallets. Moreover, this insurance product provided a dynamic limit of liability that fluctuated with the increasingly volatile price of crypto assets. In October 2022, another Lloyd’s syndicate announced a $50 million insurance policy for digital assets held in “cold” (offline) storage by a designated institutional custodian. More recently on November 28, 2022, a digital asset custody platform announced that it had partnered with an insurance company to provide up to $1 billion of coverage for clients that stored their digital assets in the platform’s offline cold vault.
However, thus far, dedicated insurance solutions for the crypto market appear to be limited in terms of the type of coverage (such as vault insurance) to a select group of regulated banks and market participants, as underwriters try to wrap their heads around the potential exposure in the wake of the FTX collapse and multibillion-dollar losses.
Commercial Crime Coverage
The loss of billions of dollars of assets held by FTX shines the spotlight on potential insurance available under traditional Commercial Crime policies. Such policies typically afford coverage for the loss of assets by the insured due to theft by an agent or employee of the firm. These assets may include money, securities or other tangible property.
The classification of digital assets in the context of a crime policy is somewhat hazy. On one hand, the SEC has taken the position that most cryptocurrencies are “securities.” On the other hand, the IRS treats digital assets as “property” for tax purposes. The IRS notes that digital assets may include convertible virtual currency and cryptocurrency, stablecoins and non-fungible tokens. Of course, most would agree that these digital assets are not “tangible” property under a crime policy.
To further complicate matters, the Financial Crimes Enforcement Network (FinCEN) has issued interpretative guidance indicating that money services businesses (MSBs) engaged in “money transmissions” involving “convertible virtual currencies” (CVCs) are subject to the Bank Secrecy Act. According to FinCEN, a CVC “is a type of virtual currency that either has an equivalent value as currency or acts as a substitute for currency.” Under FinCEN guidance, one might argue that a so-called “money transmission” or transaction involving any type of virtual currency involves “money” in the broadest sense – which may include both “traditional currency” and “virtual currency.”
To avoid confusion regarding the scope of coverage under a crime policy, such policies may be amended or endorsed to specifically include cryptocurrency or digital assets. Of course, various policy exclusions still may preclude coverage for the theft or disappearance of assets. For instance, crime policies may exclude coverage for any theft or other fraudulent, dishonest or criminal act by the insured organization’s directors and officers. In the case of FTX, Sam Bankman-Fried (SBF), the founder, principal and former CEO of the company, is alleged to be personally responsible for the loss or theft of missing FTX customer funds and crypto assets.
On December 13, 2022, the Department of Justice unsealed a criminal indictment against SBF charging him with counts of conspiracy to commit wire fraud, commodities fraud, securities fraud, money laundering and violation of U.S. campaign finance laws. Thus, while crime policies may offer an added layer of protection for companies, they will not insure against intentional, knowing theft and misconduct committed at the highest levels of the organization.
To avoid “silent crypto” exposure under traditional insurance policies, carriers should consider asking some basic underwriting questions such as the following:
- Do the company’s business activities include transactions involving cryptocurrencies or other digital assets?
- Does the company issue, buy, sell, trade or lend cryptocurrency, coins, tokens (including NFTs) or other digital assets?
- Does the company hold cryptocurrency or other digital assets in custody?
- Does the company accept or exchange cryptocurrency or digital assets as payment for goods or services?
- Is the company registered with the SEC, Commodity Futures Trading Commission (CFTC) or other state or federal regulators with oversight of the financial markets?
- Is the company licensed as a money services business (MSB) with FinCEN/ U.S. Department of the Treasury?
- Is the company licensed in any states as a money transmitter business (MTB)?
- Is the company subject to the Bank Secrecy Act (BSA) and Anti–Money Laundering (AML) laws?
- Did the company report any cryptocurrency or digital asset transactions (including income, capital gains or losses derived from such transactions) in its IRS tax filings?
- Does the company’s accountant conduct full or partial audits or proof of reserve checks of any cryptocurrencies and digital assets held by the firm?