Cryptoassets – Regulating the Unregulated

As international legislators and policy makers rush to catch up with the exponential growth of the cryptoasset market the PRA is applying the existing regulatory framework to control their expanding use, while the FCA is focusing on the management of growing risks in the areas of financial crime and custody.

At the end of March, the PRA issued a ‘Dear CEO’ letter to banks and designated investment firms setting out how the existing prudential framework should be applied to ensure that firms already engaging in cryptoasset activity meet their benchmarks for safety and soundness.

They emphasised, in a world that is constantly evolving and changing, firms have to go back to first principles to ensure crypto risks are assessed, mitigated and properly capitalised.

The letter sets out the steps that the PRA wants to see firms taking, under five headings:

1.       Strong Risk Controls

The PRA reminds firms of their responsibilities under the PRA’s Fundamental Rules to act in a prudent way, have effective risk strategies and risk management systems and to deal with the regulators in an open manner.

In line with their policy of personal accountability they stress that all crypto risks should be fully considered by the board and the highest levels of executive management Firms should appoint an appropriate Senior Management Function to be personally involved in the assessment and sign-off on the risk management framework for any planned business that gives rise to direct exposure to cryptoassets or entities that are heavily exposed to cryptoassets.

Firms must review their existing risk management strategies and systems to adapt to the different risk profiles of crypto activity risks. They need to review their risk models and valuation systems as they may need to factor in greater uncertainty or lower risk tolerance levels. They may also need to rely on proxies to a greater extent and make assumptions about the interconnectivity of risk exposures. Robust stress tests need to be considered to ensure that risks are being properly captured.

2.       Prudential Framework

In addition to the Fundamental Rules, the PRA expects the full prudential framework to be taken into account including Pillar 1 of the Internal Capital Adequacy Assessment Process (ICAAP) and additional Pillar 2 considerations.  Firm should be prepared to discuss their treatment of cryptoasset exposures with their supervisors.

3.       Pillar 1

In some areas the existing Pillar 1 measures are not well calibrated to cryptoasset risks. These are currently under consideration by the Basel Committee on Banking Supervision and pending publication of their conclusion, the PRA reminds firms of their requirements for specific risks. In particular, exposure to market and counterparty credit risks in market-making and the direct holdings of assets and also operational risks (including custodial services) and credit exposures to crypto firms and crypto collateral.

In many cases, the direct holding of cryptoassets will be classified as intangible assets and deducted (usually a 100% deduction) from common Equity Tier 1.

              Market Risk

Where a firm has a risk position for which there is no appropriate treatment specified in the Capital Requirements Regulation (CRR) firms must calculate their own funds requirements for that position by applying the most appropriate rules. In most cases, cryptoassets are unlikely to be sufficiently similar to existing asset classes which suggests an appropriate capital requirement of 100% of the current value of the firm’s position.  

In estimating exposures, firms’ diversification and hedging frameworks should be conservative and estimate the impact of stress events in the event of a deterioration of the relationship of the hedge. The PRA suggests looking at the commodity framework in CRR Articles 357 and 358 to assess the current value of positions arising from derivatives referencing cryptoassets.

              Counterparty Credit Risks

In January of this year the PRA implemented the standardised approach to counterparty credit risk (SA-CCR). Under Article 277, firms must map each transaction to one of the identified risk categories based on a primary risk driver that is an identifiable factor which drives the risk. In many cases the primary risk driver for crypto activities is unlikely to be one of the traditional drivers but will be the price of the crypto risk asset itself. It will therefore fall under the ‘other risks’ category for SA-CCR purposes which limits diversification and hedging as this can only apply where the primary risk drivers are identical.

Firms must consider whether the standardised approach and its specific components fully capture the full counterparty credit risks associated with many cryptoassets and, where necessary, ensure risks are captured in an appropriate part of the framework.

4.       Pillar 2

The Pillar 2 framework addresses risks not captured by Pillar 1. Firms must separately assess their exposure to crypto activities for market risk, credit risk, counterparty credit risk and operational risk, along with the extent to which products, market participants or legal structures might expose the firm to risks not generally considered in their current Pillar 2 assessments.

Operational risks, for example fraud or cyber risks and the outsourcing of crypto activities (e.g., the custody of crypto keys) should be fully understood. Firms should understand their ability to access and gain control of their assets in the event of a third-party service provider failure.

5.       Next Steps

At present the next steps are unclear. The Basel Committee is currently undertaking work to determine the risks of banks operating in cryptoasset markets and once completed, their conclusions will then have to be taken on board by international supervisors and incorporated into local legislation and regulations. It may well be that the U.K.’s long-term treatment will differ from the current framework and the PRA has said it will consult with firms on any proposed changes. In the meantime, firms that are involved in cryptoasset activities have to go back to first principles and analyse and assess their current risks applying the current prudential framework as set out in the PRA’s letter.

2022 is clearly going to be a very busy year in the crypto space and FMCR will be keeping its clients updated on developments through LinkedIn. For further information please contact FMCR at contact@fmcr.com

Peter ManningFMCR