What is the operational risk exposure from cryptoassets?

Cryptoassets becoming mainstream

Given the rapid rise, and at times volatility, in the valuation of some cryptoassets they are increasingly hard to avoid. In a recent study the FCA estimates that within the UK 2.3 million individuals now hold cryptoassets (up more than 20% from last year), and nearly 80% of adults are now familiar with them.

Correspondingly, there has been interest in understanding the risks associated with their use. Particularly in comparison to more traditional assets. To understand how financial and non-financial risk exposures could change with cryptoassets there are a wide range of angles to consider: the volatility and liquidity of the assets, the technology and legal frameworks that underpins them, and the infrastructure used to exchange them. Here we focus on the non-financial exposures – which includes fraud, cyber, financial crime, legal and reputational, risks.

What do we see?

Within existing events

Within our ORX News service, which collates and categorises publicly reported operational and non-financial risk events, we appreciate the increasing importance of a full understanding of the risks of cryptoassets. For this reason, we include a specific industry focus on cryptocurrency exchanges.  

Most events we see are associated with External Fraud, particularly the loss of cryptoassets or system infiltration by external actors. There is also a high proportion of stories about the embezzlement of investors’ funds by internal staff.

Other, less common stories concern improper business or market practices, and the execution, monitoring and reporting of crypto transactions by the company, as well as technology and infrastructures failures causing business disruption. These are operational risk events and losses that affect banks and cryptocurrency companies or exchanges alike.

Between 2015 and 2019, the number of cryptocurrency-related stories reported by ORX News increased by almost 10-fold, a rise likely to mirror the increase in volume of cryptocurrency transactions. Fewer cryptocurrency stories were reported in 2020 and during the first two quarters of 2021, likely due to fewer stories in public media during to the coronavirus pandemic. The highest cryptocurrency-related losses recorded in ORX News so far in 2021 are Turkish cryptocurrency exchange Thodex losing USD 2 billion after its CEO allegedly took users’ funds and fled Turkey, and decentralised finance (DeFi) platform Poly Network losing USD 269 million in cryptocurrencies when a hacker exploited a system vulnerability between contract calls.

As an emerging risk

Cryptoassets are also mentioned in the context of emerging operational risks. To date, this has been in the context of risks arising from the adoption of new technology, and risks more specific to cryptoassets. Including:

• Risks from errors in development and deployment, and the task of implementing robust mitigation and control frameworks for cryptoassets.
• Changes in the profiles of regulatory, compliance and legal risks related to the security and privacy of data.

Regulatory focus

In June 2021 the BCBS published a consultation on the “prudential treatment of cryptoasset exposures”. This builds on a statement and a discussion paper published in recent years

This paper is potentially significant for operational risk. The proposal states that whilst some lower risk groups of cryptoassets (Group 1 - tokenised traditional assets and stablecoins) fall within the existing Basel framework, others (Group 2 - such as bitcoin) will be subject to a new prudential treatment. This difference is articulated in their first guiding principle where the key statement is in the last sentence, confirming risks from cryptoassets will be assessed in relation to risks from traditional assets.

The regulatory approach

Those familiar with recent work on minimum capital standards for operational risk will recognise the desire for simplicity in the design of the prudential framework, but there are also older echoes of methodologies contained in Basel II from 2006.

The options laid out have a familiar ring to them:

There are some fundamental questions that come from the regulatory consultation - to what extent does is overall operational risk exposure increased with cryptoassets, and how much (if not all) of this is already captured within Pillar I capital?

It appears the primarily concern are the risks from new technology. The consultation carefully states that “the prudential framework should apply the concept of “technology neutrality” and not be designed in a way to explicitly advocate or discourage the use of specific technologies” but singling out the use of an individual area of technological advance (say in comparison to cloud or AI) could create perverse incentives.

Active management of cryptoasset risks

Cryptoassets are just one of many innovations contributing to the rapid digitalisation of finance. The move to digital requires Operational and non-financial risk (ONFR) management to step up like never before and support financial organisations as they go through a period of widespread transformation. The most ambitious risk leaders – those keen to turn ONFR into a function that allows digital transformation to happen safely – are beginning to manage operational risk in a far more active way.

Active risk management means being always on the front foot and pre-empting the risks associated with change initiatives by working with the business to mitigate them in the design and development phase. It means translating the risks into actionable processes for senior management, ensuring a sharp focus on the most material risks, and scanning the horizon for the risks that lie ahead

To do this, the risk function needs to be fast, dynamic, knowledgeable, and innovative – both in the digital tools it deploys but also in how it positions itself in the organisation. Active risk management is crucial if we are to successfully manage risks that are emergent, fast moving, and where there is lack of institutional experience.

For a comprehensive view of the strategy the industry is adopting to manage risk in an increasingly digitalised world download the report, Right time, right place: The drive for change in operational and non-financial risk,