Getting crypto under control

In April this year, the OCC issued its first-ever consent order involving a cryptoasset bank for anti-money laundering (AML) control deficiencies. The consent order required Anchorage Digital to develop and implement a comprehensive AML training program for relevant compliance staff.  More significantly, the order also requires Anchorage to remediate its transaction monitoring program to be able to cope with the intricacies of crypto. All this barely a year after the bank had received its national trust bank charter.

Other regulators are also getting up to speed on digital assets: The European Council presidency and the European Parliament have reached a provisional agreement on the Markets in Crypto-Assets (MiCA) proposal. This will bring crypto-assets, crypto-asset issuers and crypto-asset service providers (CASPs) under an EU-wide regulatory framework intended to protect investors and preserve financial stability. And the SEC and CFTC seem to be edging closer to key decisions.

At the same time, more and more institutions are starting crypto and digital asset businesses. Fidelity launched a bitcoin-trading business for hedge funds and other institutional investors in 2018, and earlier this year allowed corporate clients to add the digital asset to the 401(k) retirement plans it manages for them. The next step will be to allow its retail clients to trade crypto. Large banks are generally further behind than this, often dipping their toes with crypto custody, but all of these operations require trade surveillance and transaction monitoring systems that can cope with the specific characteristics of crypto and the blockchain.

So where should surveillance chiefs start and how can they create control environments for digital assets without a well-defined regulatory framework? Mature institutions already have extensive risk and control libraries around both product sets and risk sets. So, a bank setting up a crypto custody business can start with the framework for traditional assets and then try to identify where crypto-specific risks require additions to that library. These tend to be around technology, operational processes, cybersecurity, enforceability and legal risks and KYC / CDD.

“When we started, we created a separate process for digital assets but we soon realized it was becoming unwieldy and we were creating an industry where we didn’t need to. So, we have now integrated all of our enhanced crypto asset due diligence into each of our principal risk types and embedded that into our existing governance frameworks,” said one head of digital custody.

A key problem is the increasing tension between the first and the second line in a space which is evolving so quickly. Said one: “So, there is a new product idea. And somebody says, ‘okay, what do I need to do now to get that launched tomorrow?’ And the answer is, ‘well, we need to assess the risk and that will take us six months. And then the whole idea dies because that is just too long.” To cope with digital assets, but also new product development in general, the risk assessment process has to be more dynamic and agile. For some in this space, the only solution is a continuous risk assessment process. For others a more dramatic solution seems necessary: some have decided to create separate operating companies for digital asset businesses to free new product development from slow risk framework development and the burden of existing compliance processes.

Banks will need to move fast. At 1LoD’s first Digital Asset Leaders Network recently, digital leaders from key international institutions were asked ‘how developed is your risk and control thinking around digital assets?’. Not one answered that they had a developed risk and control framework for them.