Both the FCA and the PRA have written to firms to warn about certain risks associated with exposures to crypto-assets, and to advise firms of the measures they should consider implementing to mitigate such risks.
The FCA and the PRA have each written a “Dear CEO” letter to firms, to warn about the risks associated with exposure to crypto-assets. The letters reflect each regulator’s concerns, according to their regulatory remit, and provide examples of practical measures that firms should be putting in place.
These letters come at a time when both the use and regulatory scrutiny of crypto-assets is increasing, with the FCA recently revealing in a response to a Freedom of Information Act request that it is currently investigating 24 crypto firms.
Financial Crime Risks
The letter from the FCA focuses on conduct-related risk — namely, the financial crime risks relating to crypto-assets that banks may face.
The FCA stresses that banks should take reasonable and proportionate measures to lessen the risk of facilitating financial crime through their exposures to crypto-assets (which, by their nature, lend themselves to anonymity). The FCA suggests that if a bank offers services to clients who derive significant business activities or revenues from crypto-related activities, enhancing scrutiny of these clients and their activities may be necessary.
The FCA suggests that banks might consider measures such as:
- Developing staff knowledge and expertise on crypto-assets, to help them identify the clients or activities that pose a high risk of financial crime
- Ensuring that existing financial crime frameworks adequately reflect the crypto-related activities that the firm is involved in, and that these frameworks are capable of keeping pace with fast-moving developments
- Engaging with clients to understand the nature of their businesses and the risks they pose
- Carrying out due diligence on key individuals in the client business, including consideration of any adverse intelligence
- Assessing the adequacy of clients’ own due diligence arrangements, if clients are offering forms of crypto-exchange services
- If clients are involved in initial coin offerings (ICOs), considering the issuance’s investor base, organisers, the functionality of tokens (including intended use), and the jurisdiction
Banks are also expected to carry out proper source of wealth checks on customers whose wealth or funds derive from the sale of crypto-assets, or other crypto-related activities. The FCA stresses that although the evidence trail may be weaker in relation to crypto-assets than for other sources of funds, this does not justify applying a different evidential test.
The letter from the PRA is addressed to banks, insurers, and PRA-regulated investment firms, and focuses on prudential and financial stability risks.
While acknowledging the potential benefits crypto may have for the financial system over time, the PRA reminds firms of their responsibilities under PRA rules.
In particular, the PRA sets out the following examples of measures it considers appropriate for firms to implement in relation to crypto-assets:
- Firms must recognise that crypto-assets represent a new, evolving asset class, with risks that should be considered fully by the board and the highest levels of executive management. In particular, an approved Senior Manager should be involved actively in reviewing and signing off on the risk assessment framework for any planned direct exposure to crypto-assets and/or entities heavily exposed to crypto-assets.
- Firms should ensure that their management approaches are commensurate to the risks of crypto-assets. Understanding the risks of such complex assets will require access to appropriate expertise. Firms are expected to undertake extensive due diligence before taking on any crypto-exposures, and must maintain appropriate safeguards against all the related risks (including financial, operational, and reputational risks).
- Firms should inform their usual supervisory contact of any planned crypto-asset exposure or activity on an ad hoc basis, together with an assessment of the risks associated with the intended exposure. Firms should also inform their usual supervisory contacts of the Senior Manager responsible for approving the exposure.
- Firms’ remuneration policies and practices should ensure that the incentives provided for engaging in crypto-related activities do not encourage excessive risk-taking.
The letter also explains how the PRA would expect firms to take into account risks relating to crypto-exposures in their Internal Capital Adequacy Assessment Process or Own Risk and Solvency Assessment. The PRA emphasises that, although classification of crypto-assets for prudential purposes will depend on the precise features of the asset, crypto-assets should not be considered as currency for these purposes. The PRA also notes that discussions are ongoing at both domestic and international levels regarding the appropriate prudential treatment of crypto-assets, and it will update firms on any developments in this respect in due course.
While (as the PRA acknowledges) many firms may not yet have any exposures to crypto-assets, many will likely consider such exposures in future, if they have not done so already. Firms should note the regulators’ concerns and seek to put in place the measures advised, if appropriate.
However, firms should also note the implicit acknowledgement from the UK’s financial regulators that they are not prohibiting regulated firms from holding crypto-assets or entering the crypto markets. Rather, firms must be aware of any enhanced idiosyncratic risks relating to these assets, and ensure that they have appropriate systems, controls, and risk management procedures in place to deal with these risks. Therefore, the regulators’ decision to set out some clear expectations and practical measures in a notoriously uncertain area is helpful for firms.