In brief

The Australian Prudential Regulation Authority (APRA) has set out its initial risk management expectations for regulated entities that engage in activities associated with crypto-assets, and a policy roadmap for the period ahead in a letter to industry. We explore the APRA proposals in more detail below.


  1. APRA expectations
  2. Policy roadmap
  3. Next Steps

APRA expectations

In response to the growing list of crypto-asset related activities, including investment in crypto-assets, lending linked with crypto-assets, and issuance, service providers face a range of operational risks. These include fraud, cyber, conduct, AML/CTF and technology risks.

APRA’s expectation, outlined in the letter, is that all regulated entities will:

  • conduct appropriate due diligence and a comprehensive risk assessment before engaging in activities associated with crypto-assets, and ensure that they understand, and have actions in place to mitigate, any risks that they may be taking in doing so;
  • consider the principles and requirements of Prudential Standard CPS 231 Outsourcing or Prudential Standard SPS 231 Outsourcing when relying on a third party in conducting activities involving crypto-assets; and
  • apply robust risk management controls, with clear accountabilities and relevant reporting to the board on the key risks associated with the new ventures (e.g., assigning accountabilities for crypto-asset activities to BEAR Accountable Person(s).

Potential prudential risks include:

  • Capital management: Note that where a crypto-asset is defined as an intangible asset under the relevant accounting standards, it must be deducted from Common Equity Tier 1 Capital (CET1). The Basel Committee is consulting on longer-term prudential treatment for crypto-asset exposures, which may result in distinctions for different types of crypto-assets.
  • Investment risk: Registrable Superannuation Entities licensees considering crypto-asset investments as part of their investment strategy must be able to demonstrate how the investment is consistent with the duty to act in the best financial interests of beneficiaries, meets investment strategy covenants, and complies with existing prudential requirements.
  • Operational risk: Entities will need to continue to grapple with the inherent operational risks, and must identify, assess and manage fraud, cyber, conduct, financial crimes and technology risks. Issues around custody or the use of third parties for redemption and operation are also likely to come up.

APRA has also indicated that entities must also ensure they comply with all conduct and disclosure regulations administered by ASIC, including robust conduct risk management and consideration of distribution practices and product design, and disclosure. Entities who are unclear on prudential, disclosure or conduct requirements and expectations associated with activities relating to crypto-assets are expected to consult with APRA and ASIC.

Policy roadmap

The crypto-asset proposals form part of APRA’s strategic initiative to modernise the prudential architecture, aimed at ensuring the Australian prudential framework supports financial safety and stability in a digital world.

In consultation with other regulators internationally, APRA has indicated that they are developing a longer-term prudential framework for crypto-assets and related activities in Australia. The Basel Committee consultation on the prudential treatment for bank exposures to crypto-assets will provide the basis for internationally agreed minimum standards for authorised deposit-taking institutions (ADIs) and a starting point for prudential expectations with respect to other APRA-regulated entities.

APRA’s proposed plans ahead are summarised below.

Timing Activity
2022 Basel Committee consultation on crypto-assets.Draft prudential standard regarding new and revised requirements for operational risk management (covering control effectiveness, business continuity and service provider management) released in mid-2022 for consultation.
2023 Consultation on requirements for the prudential treatment of crypto-asset exposures in Australia for ADIs (post conclusion of Basel Committee’s current consultation). In the interim APRA will consider the need for initial prudential guidance.APRA considers that payment stablecoin arrangements bear similarities with stored-value facilities (SVFs). APRA in conjunction with the Council of Financial Regulators is developing options for incorporating payment stablecoins into the proposed regulatory framework for SVFs. Subject to broader developments on the legislative framework, APRA envisages consulting on prudential requirements for large SVFs in 2023.
2024 Operational risk standard expected to become effective.
2025 Crypto asset requirements expected to become effectiveSVF standard expected to become effective.

Next Steps

The regulatory framework for virtual assets continues to evolve quickly as regulators look to match the pace of change and determine how best to balance the need to facilitate innovation whilst also ensuring appropriate investor protections. Through the work of supranational bodies like the International Organization of Securities Commissions (IOSCO), the Bank for International Settlements (BIS) and the Financial Action Task Force (FATF), the alignment between regulators is likely to increase. It is important for virtual asset service providers, issuers and other participants in the eco-system to understand the evolving operating requirements to ensure that they are able to best leverage their products and offer them to as broad a client base and in multiple markets as possible. Conversely, institutional investors will continue to welcome increased regulatory certainty and clarity regarding the means by which they may continue to explore broader investment opportunities to generate potential returns for their beneficial holders.