Letters

Crypto-assets: Risk management expectations and policy roadmap
Print

Published 21 April 2022

In recent years, there has been rapid growth in crypto-assets and the use of distributed ledger technology. While activities associated with crypto-assets are still relatively limited in Australia, the potential scale and risks of such activities could become significant over time.

In this context, APRA is setting out initial risk management expectations for all regulated entities that engage in activities associated with crypto-assets, and a policy roadmap for the period ahead.1 Regulated entities should engage with their responsible supervisor if they are undertaking activities associated with crypto-assets.

APRA’s expectations regarding risk management
 

There are several types of crypto-assets, including tokenised traditional assets, crypto-assets with stabilisation mechanisms (stablecoins) and other unbacked crypto-assets, and a range of direct and indirect activities associated with these assets that entities could undertake. Such activities include, for example, investment in crypto-assets, lending linked with crypto-assets, issuance of crypto-assets, and providing services associated with crypto-assets for customers. In addition, entities may seek to invest in or partner with technology or other companies to provide new offerings for customers.

While these activities can provide opportunities and benefits for the financial system and its customers, they also bring new risks that may be challenging for entities to identify, assess and manage. As the Basel Committee on Banking Supervision has noted, certain crypto-assets have exhibited a high degree of volatility and could present material risks as exposures increase. The risks are wide-ranging, covering, for example, operational, investment, and credit risk. The operational risks are particularly important, and encompass fraud, cyber, conduct, AML/CTF and technology risks.

APRA therefore expects that all regulated entities will adopt a prudent approach if they are undertaking activities associated with crypto-assets, and ensure that any risks are well understood and well managed before launching material new initiatives.

In particular, APRA expects that all regulated entities will:

  • Conduct appropriate due diligence and a comprehensive risk assessment before engaging in activities associated with crypto-assets, and ensure that they understand, and have actions in place to mitigate, any risks that they may be taking on in doing so;
  • Consider the principles and requirements of Prudential Standard CPS 231 Outsourcing or Prudential Standard SPS 231 Outsourcing when relying on a third party in conducting activities involving crypto-assets; and
  • Apply robust risk management controls, with clear accountabilities and relevant reporting to the Board on the key risks associated with new ventures.2 A high-level summary of the potential prudential risks to be considered for specific activities is provided in Annex A.

Entities also need to ensure they comply with all conduct and disclosure regulation administered by ASIC. This will require robust conduct risk management and consideration of distribution practices and product design, as well as consideration of disclosure.

Entities are expected to consult with APRA and ASIC where they are unclear on prudential, disclosure or conduct requirements and expectations when undertaking activities associated with crypto-assets. ASIC has provided specific guidance to help entities understand their existing obligations under the Corporations Act and ASIC Act in ASIC Information Sheet 225.

Policy roadmap
 

APRA is developing the longer-term prudential framework for crypto-assets and related activities in Australia in consultation with other regulators internationally, to ensure consistency in approach. For authorised deposit-taking institutions (ADIs), the Basel Committee is consulting on the prudential treatment for bank exposures to crypto-assets.3 This will provide the basis for internationally agreed minimum standards for ADIs, and a starting point for prudential expectations for other APRA-regulated industries.

In the period ahead, APRA plans to:

  • crypto-activities: consult on requirements for the prudential treatment of crypto-asset exposures in Australia for ADIs, following the conclusion of the Basel Committee’s current consultation. The consultation in Australia is expected to be undertaken in 2023, and APRA will consider the need for initial prudential guidance in the interim;
  • operational risk: progress new and revised requirements for operational risk management, covering control effectiveness, business continuity and service provider management. While these requirements will apply to the entirety of an entity’s operations, many will be directly relevant to the management of operational risks associated with crypto-asset activities. The draft prudential standard will be released for consultation in mid-2022; and
  • stablecoins: consider possible approaches to the prudential regulation of payment stablecoins. These stablecoin arrangements bear similarities with Stored-value Facilities (SVFs) and APRA, in conjunction with peer agencies on the Council of Financial Regulators (CFR), is developing options for incorporating them into the proposed regulatory framework for SVFs. Subject to the development of the broader legislative and regulatory framework, APRA envisages consulting on prudential requirements for large SVFs in 2023.4

2022 - Basel Committee consultation on crypto-assets & Operational risk standard consultation, 2023 - APRA consultation on crypto-assets (TBC) & SVF consultation, 2024 - Operational risk standard effective and 2025 - Crypto-asset requirements effective (TBC) & SVF standard effective (TBC)

As set out in Transforming Australia’s Payments System in December 2021, and subject to any decisions of an incoming government, there will also be a range of developments in the regulatory framework for crypto-assets and payments more broadly in the period ahead. This follows several key reports in 2021, including the Review of the Australian Payments System, the Senate Committee on Australia as a Financial and Technology Centre Final Report, and the Parliamentary Joint Committee Corporates and Financial Services Report on Mobile Payment and Digital Wallet Services. As part of these broader reforms, the Treasury recently released a consultation on proposed licensing and custody requirements for crypto asset secondary service providers, including digital currency exchanges.5

APRA will continue to closely monitor industry trends and emerging risks associated with crypto-assets, engage with other regulators domestically and internationally, and provide further guidance as required.

Yours sincerely,
 

Wayne Byres
Chair

ANNEX A. prudential risks and relevant standards
 

The table below sets out an initial view on the potential prudential risks for crypto-asset activities relevant to APRA-regulated industries. This risk assessment will evolve over time.6

Activities

Prudential risks

Investments in crypto assets

  • Capital management: ADIs and insurers that invest in crypto-assets will need to ensure that they hold an appropriate level of regulatory capital, and factor any exposures into their ICAAP process and stress testing where relevant. Where a crypto-asset is defined as an intangible asset under the relevant accounting standards, it must be deducted from Common Equity Tier 1 Capital (CET1).7 The Basel Committee is consulting on the longer-term prudential treatment for crypto-asset exposures, which may distinguish between different groups (such as tokenised traditional assets, stablecoins, and other unbacked crypto-assets).
  • Investment risk: RSE licensees considering investments in crypto-assets as part of their investment strategy must ensure they can demonstrate how the investment is consistent with the duty to act in the best financial interests of beneficiaries, meets the investment strategy covenants and complies with existing prudential requirements for investment governance.8
  • Operational risk: There are likely to be a range of operational risks to identify, assess and manage, including fraud, cyber, conduct, financial crime and technology risks. There may also be novel risks inherent in the crypto-asset or network, such as risks arising from the use of third parties for redemption and operation, or through the use of crypto infrastructure providers and exchanges.
  • Other risks: There are a range of other risks to consider, including the implications for liquidity management, market risk management and large exposures measurement. Regulated entities also need to consider disclosure requirements.

Lending activities linked with crypto assets

  • Credit risk: There would be potential challenges in credit risk management associated with the use of crypto-assets as collateral for lending, due to potential price volatility and illiquidity. These challenges would need to be well managed, with a focus on the accuracy and reliability of valuations, the calculation of provisioning levels, and the ability to claim on the security if needed.9
  • Operational risk: There may be operational risks associated with crypto-asset collateral, such as the potential for fraud, financial crime and technological failure. There may also be risks associated with reliance on third parties, such as custodians, crypto infrastructure providers, exchanges and wallet providers.
  • Other risks: The capital, funding and liquidity treatment for loans secured by crypto assets may also be complex to determine and measure, and would need to be confirmed with APRA. 

Crypto assets issuance

  • Operational risk: There are likely to be a range of operational risks to identify, assess and manage in the minting, issuance and burning of any coins, including fraud, cyber, conduct, financial crime and technology risks. The conduct risks would include important considerations around new product design and distribution. Other key considerations would include the need for robust systems for collecting, storing and safeguarding data, and a robust process for redemption.  
  • Other risks: There would also be risks to consider around governance and accountabilities (in particular where there is a reliance on third parties), custody arrangements and the safeguarding of funds, capital and liquidity requirements, and recovery and resolution planning implications.

Services on crypto assets for customers

  • Operational risks: For services on crypto-assets more broadly, there are likely to be a range of operational risks to identify, assess and manage. Specific consideration should be given to the risks around fraud and asset security, including the potential for the loss or theft of private keys, wallets containing funds and authentication devices. Other key risks that would require strong controls include cyber, financial crime and technology risks, as well as conduct requirements around new product design and distribution.

Partnering with technology and other companies

  • Capital: Equity investments in entities or subsidiaries dealing directly or indirectly in crypto assets should be treated in line with existing prudential requirements.10
  • Outsourcing: Entities should ensure that they meet the requirements that apply to the outsourcing of a material business activity, when relying on a third party as part of partnering in activities associated with crypto-assets.11

Footnotes:
 

  1. APRA outlined a new strategic initiative to Modernise the Prudential Architecture in its Corporate Plan for 2021-2025. The aim of this initiative is to ensure that the prudential framework continues to support financial safety and stability in a digital world, including through new rules for new risks such as those arising from crypto-assets. For more detail on the broader plans to modernise the architecture, see APRA’s Policy Priorities (February 2022).
     
  2. For an ADI, APRA expects that the accountabilities for crypto-asset activities would be assigned to a BEAR Accountable Person(s), with adjustments to their accountability statements where appropriate. Entities should consider the impact of all new products on their operational risk profile, and implement any changes required to internal controls.
     

  3. Basel Committee on Banking Supervision, Consultation on the Prudential treatment of crypto-asset exposures (June 2021).

  4. Payment stablecoins have features that enable them to be used as a possible means of payment and store of value. The proposed SVF framework was published by the CFR in November 2020 and is expected to be implemented as part of the Government's reforms to the payments licensing framework announced in December 2021. APRA’s existing requirements for Purchased payment facility providers that have stored value at risk are set out in Prudential Standard APS 610 Prudential Requirements for Providers of Purchased Payment Facilities (APS 610).

  5. Crypto asset secondary service providers: Licensing and custody requirementsconsultation paper (21 March 2022).

  6. This table outlines potential key risks to consider, but the specific risks will depend on the nature of the activity. Prudential Standard CPS 220 Risk Management defines material risks as encompassing: credit risk, market and investment risk, liquidity risk, insurance risk, operational risk, risks arising from strategic objectives and business plans, and other risks that may have a material impact on the entity.

  7. Prudential Standard APS 111 Capital Adequacy: Measurement of Capital, Prudential Standard GPS 112 Capital Adequacy: Measurement of Capital, Prudential Standard LPS 112 Capital Adequacy: Measurement of Capital.

  8. Refer to s. 52(2)(c) of the Superannuation Industry (Supervision) Act 1993 (SIS Act), s. 52(6) of the SIS Act and Prudential Standard SPS 530 Investment Governance respectively.

  9. Prudential Standard APS 220 Credit Risk Management includes requirements for collateral valuation, as well as for credit risk management more broadly.

  10. Prudential Standard APS 111 Capital Adequacy: Measurement of Capital, Prudential Standard GPS 112 Capital Adequacy: Measurement of Capital, Prudential Standard LPS 112 Capital Adequacy: Measurement of Capital.

  11. Prudential Standard CPS 231 Outsourcing, Prudential Standard SPS 231 Outsourcing.

2022

For more information

  • If you are from an APRA supervised institution, contact your APRA Responsible Supervisor.
  • All other users should contact APRA on 1300 558 849 or complete our enquiries form.

Subscribe for updates

To receive media releases, publications, speeches and other industry-related information by email
Subscribe