This article is the fourth article in a series about banks and the digital assets market. You can read the earlier articles here:
- What Banks Should Know about the Cryptocurrency and Digital Assets Market
- Real Opportunities for Banks to Engage in Digital Assets
- Five Steps Banks Should Take for a Coherent Digital Asset Strategy
Compared with traditional asset classes, digital assets represent heightened risks for financial institutions, especially given current market volatility, prevalence of fraud and cyberattacks, lack of standardization, regulatory uncertainty and the continuous evolution of technology. Having said that, in terms of risk categories, recent events have shown that, in fact, the digital asset ecosystem and the more traditional finance environment are not so dissimilar. Both must confront and mitigate technology risks, operational risks (fraud, cybersecurity and privacy), compliance and regulatory risks and financial stability risks. In both cases, banks can face legal and reputational risk in the event of business interruption or security failure and even be exposed to counterparty risk.
The Technology Risks Facing the Banking Industry
Banks’ heavy reliance on technology makes them vulnerable to risks arising from the complexity of that technology, including coding bugs in smart contracts and the potential compromise of digital token wallets or private keys.
In December 2022, the Basel Committee on Banking Supervision (BCBS) finalized its standard for banks’ exposures to crypto assets; it lays out a deadline of January 1, 2025, for regulators to implement the standard, which provides a non-exclusive list of risks that banks must consider and mitigate, including crypto-asset technology risks like the stability of the network and distributed ledger technology (DLT), the design of DLT, service accessibility and the trustworthiness of node operators.
To comply with the new standard, banks are relying on the fact that the stability of the DLT or similar technology network can be improved by enhancing the reliability of source code, governance of protocols and integrity of the technology. Other considerations in working toward compliance include capacity constraints, digital storage mechanisms, scalability of the underlying ledger technology and network security.
Banks should increasingly focus on managing information, communication and technology (ICT) risks through robust governance and appropriate risk control policies and procedures, including scenario modeling for incident management procedures and testing of ICT tools and systems. It almost goes without saying that business continuity planning today must be sufficiently embedded in the enterprise-wide technology architecture.
Operational Risks Banks Should Anticipate
Operational and cyber risks that banks should prepare for include those targeting DLT platforms, including cryptographic key theft, compromise of log-in credentials and distributed denial-of-service (DDOS) attacks that lead to unauthorized transfers, data breaches and technological outages. A recent report from Chainalysis shows that $3.8 billion worth of cryptocurrencies were stolen by hackers from businesses in 2022. DeFi protocols were the primary target for hackers and accounted for 82% of cryptocurrencies stolen.
Banks with direct or indirect exposure to risk – or those that are engaged in related activities – should identify plausible sources of internal and external operational risks, including outsourcing, cyber risk, information security and privacy risks, data integrity and identity and access management. For example, JP Morgan invested in a blockchain intelligence company, TRM Labs, that provides cross-chain data analytics to help financial institutions detect crypto-related fraud and financial crimes and meet anti-money-laundering (AML) regulations.
With a robust operational resilience framework, banks can put themselves in the best position to ensure the reliability, availability and safety of digital asset services and mitigate the associated risks through the use of appropriate systems, policies, procedures and controls. Financial institutions should also strengthen their cybersecurity posture by simulating attacks to improve responses, enhancing smart-contract and DeFi-code audits and investing in security and training measures. With the stakes so high, only a coordinated and comprehensive risk mitigation strategy will do.
Changing Compliance and Legal Risks Facing Banks
Banks that fail to comply with AML regulations and combating the financing of terrorism (CFT) laws could face financial or operational losses as well as significant reputational damage. With ever stricter regulatory oversight, banks must also meet additional compliance requirements including Know Your Customer (KYC), Know Your Business (KYB), Know Your Transaction (KYT) and Know Your Data (KYD).
In January 2023, major banking regulators, the Fed, the OCC and the FDIC cautioned banks about the risks associated with crypto asset-related activities on the basis that being exposed to this sector could pose risks to the overall safety and soundness of the banking system. Regulators warned about contagion risk, the lack of maturity of governance practices in this sector and the risks in open, public and decentralized networks and similar systems.
The unprecedented speed and novelty of crypto-asset evolution (with regulators struggling to keep up) brings unique legal risks in the context of accounting standards, control and ownership rules, disclosure requirements and bans related to crypto assets in certain jurisdictions. With a relative lack of regulatory clarity on such assets, including NFTs and DeFi networks, banks should tread carefully until there is a comprehensive and consistent regulatory framework at a national or global level.
In the meantime, banks must implement robust governance, compliance and risk management frameworks – including oversight, policies, risk assessments, controls and guardrails – to effectively manage all categories of risk. Besides developing in-house compliance capabilities, banks will increasingly look to partner with technology vendors and service providers that offer compliance services, including forms of “regulatory compliance as a service.”
Banks Are Prone to Financial Stability Risks
Banks that have direct or indirect exposures to crypto and digital asset activities also face major risks to their financial stability, including the susceptibility of stablecoins to run risk, creating potential major deposit outflows for banks that hold stablecoin reserves. Other financial risks include credit, liquidity and market risks, contagion risk, market manipulation, insider trading, lack of transparency in pricing, disintermediation of banks and vulnerabilities related to DeFi platforms.
Although the interconnection between the digital asset ecosystem and the traditional financial sector has been limited to date, growth in the number of interlinkages could increase the potential for spillovers to the wider financial system. Banks can mitigate these risks with effective planning, performing robust due diligence and adopting the guidelines and regulatory frameworks set out by global regulators. In addition, banks can (and in some cases, must) participate in supervisory reviews like performing stress tests or scenario analyses to assess crypto-asset risks and ensure adequate capital and liquidity buffers.
Despite an upward trend in activity and offerings, the security and regulatory uncertainties of digital assets certainly stand in the way of widespread adoption. With a flurry of lawsuits and actions against many crypto companies and exchanges following the FTX meltdown, some banks are now re-evaluating their exposure to the crypto and digital assets sector. A number of smaller banks, such as the New York-based Metropolitan Commercial Bank, are either exiting the crypto business, cutting ties with exchanges or reducing their exposures more generally.
Instead of pumping the brakes, banks should take a balanced approach that capitalizes on the potential opportunities and benefits that digital assets bring. This starts with a comprehensive understanding and mitigation plan for the identified risks across all categories. ISG leverages industry knowledge and insight to help banks and financial institutions determine the right digital asset strategy, develop the associated target operating model and source the right technology and partners to ensure a successful foray into this volatile market space. Contact us to find out how we can get started.