Letter

Letter to all entities: Crypto-assets risk management expectations and policy roadmap

  • Cross-industry
  • Current
    21 April 2022
  • Apply robust risk management controls, with clear accountabilities and relevant reporting to the Board on the key risks associated with new ventures. A high-level summary of the potential prudential risks to be considered for specific activities is provided in Annex A.
[1]
For an ADI, APRA expects that the accountabilities for crypto-asset activities would be assigned to a BEAR Accountable Person(s), with adjustments to their accountability statements where appropriate. Entities should consider the impact of all new products on their operational risk profile, and implement any changes required to internal controls.
Entities also need to ensure they comply with all conduct and disclosure regulation administered by ASIC. This will require robust conduct risk management and consideration of distribution practices and product design, as well as consideration of disclosure.
Entities are expected to consult with APRA and ASIC where they are unclear on prudential, disclosure or conduct requirements and expectations when undertaking activities associated with crypto-assets. ASIC has provided specific guidance to help entities understand their existing obligations under the Corporations Act and ASIC Act in ASIC Information Sheet 225. Policy roadmap
APRA is developing the longer-term prudential framework for crypto-assets and related activities in Australia in consultation with other regulators internationally, to ensure consistency in approach. For authorised deposit-taking institutions (ADIs), the Basel Committee is consulting on the prudential treatment for bank exposures to crypto-assets. This will provide the basis for internationally agreed minimum standards for ADIs, and a starting point for prudential expectations for other APRA-regulated industries.
In the period ahead, APRA plans to:
[2]
Basel Committee on Banking Supervision, Consultation on the Prudential treatment of crypto-asset exposures (June 2021).
  • crypto-activities: consult on requirements for the prudential treatment of crypto-asset exposures in Australia for ADIs, following the conclusion of the Basel Committee’s current consultation. The consultation in Australia is expected to be undertaken in 2023, and APRA will consider the need for initial prudential guidance in the interim;
  • operational risk: progress new and revised requirements for operational risk management, covering control effectiveness, business continuity and service provider management. While these requirements will apply to the entirety of an entity’s operations, many will be directly relevant to the management of operational risks associated with crypto-asset activities. The draft prudential standard will be released for consultation in mid-2022; and
  • stablecoins: consider possible approaches to the prudential regulation of payment stablecoins. These stablecoin arrangements bear similarities with Stored-value Facilities (SVFs) and APRA, in conjunction with peer agencies on the Council of Financial Regulators (CFR), is developing options for incorporating them into the proposed regulatory framework for SVFs. Subject to the development of the broader legislative and
    regulatory framework, APRA envisages consulting on prudential requirements for large SVFs in 2023. 
[3]
Payment stablecoins have features that enable them to be used as a possible means of payment and store of value. The proposed SVF framework was published by the CFR in November 2020 and is expected to be implemented as part of the Government's reforms to the payments licensing framework announced in December 2021. APRA’s existing requirements for Purchased payment facility providers that have stored value at risk are set out in Prudential Standard APS 610 Prudential Requirements for Providers of Purchased Payment Facilities (APS 610).
As set out in Transforming Australia’s Payments System in December 2021, and subject to any decisions of an incoming government, there will also be a range of developments in the regulatory framework for crypto-assets and payments more broadly in the period ahead. This follows several key reports in 2021, including the Review of the Australian Payments System, the Senate Committee on Australia as a Financial and Technology Centre Final Report, and the Parliamentary Joint Committee Corporates and Financial Services Report on Mobile Payment and Digital Wallet Services. As part of these broader reforms, the Treasury recently released a consultation on proposed licensing and custody requirements for crypto asset secondary service providers, including digital currency exchanges. 
APRA will continue to closely monitor industry trends and emerging risks associated with crypto-assets, engage with other regulators domestically and internationally, and provide further guidance as required.
Yours sincerely,
Wayne Byres
Chair
[4]
Crypto asset secondary service providers: Licensing and custody requirements consultation paper (21 March 2022).

ANNEX A. PRUDENTIAL RISKS AND RELEVANT STANDARDS

The table below sets out an initial view on the potential prudential risks for crypto-asset activities relevant to APRA-regulated industries. This risk assessment will evolve over time.
[5]
This table outlines potential key risks to consider, but the specific risks will depend on the nature of the activity. Prudential Standard CPS 220 Risk Management defines material risks as encompassing: credit risk, market and investment risk, liquidity risk, insurance risk, operational risk, risks arising from strategic objectives and business plans, and other risks that may have a material impact on the entity.
Activities
Prudential risks
Investments in crypto assets
  • Capital management: ADIs and insurers that invest in crypto-assets will need to ensure that they hold an appropriate level of regulatory capital, and factor any exposures into their ICAAP process and stress testing where relevant. Where a crypto-asset is defined as an intangible asset under the relevant accounting standards, it must be deducted from Common Equity Tier 1 Capital (CET1). The Basel Committee is consulting on the longer-term prudential treatment for crypto-asset exposures, which may distinguish between different groups (such as tokenised traditional assets, stablecoins, and other unbacked crypto-assets).
  • Investment risk: RSE licensees considering investments in crypto-assets as part of their investment strategy must ensure they can demonstrate how the investment is consistent with the duty to act in the best financial interests of beneficiaries, meets the investment strategy covenants and complies with existing prudential requirements for investment governance.
  • Operational risk: There are likely to be a range of operational risks to identify, assess and manage, including fraud, cyber, conduct, financial crime and technology risks. There may also be novel risks inherent in the crypto-asset or network, such as risks arising from the use of third parties for redemption and operation, or through the use of crypto infrastructure providers and exchanges.
  • Other risks: There are a range of other risks to consider, including the implications for liquidity management, market risk management and large exposures measurement. Regulated entities also need to consider disclosure requirements.
Lending
activities linked with crypto assets
  • Credit risk: There would be potential challenges in credit risk management associated with the use of crypto-assets as collateral for lending, due to potential price volatility and illiquidity. These challenges would need to be well managed, with a focus on the accuracy and reliability of valuations, the calculation of provisioning levels, and the ability to claim on the security if needed.
  • Operational risk: There may be operational risks associated with crypto-asset collateral, such as the potential for fraud, financial crime and technological
[7]
Refer to s. 52(2)(c) of the Superannuation Industry (Supervision) Act 1993 (SIS Act), s. 52(6) of the SIS Act and Prudential Standard SPS 530 Investment Governance respectively.
[8]
Prudential Standard APS 220 Credit Risk Management includes requirements for collateral valuation, as well as for credit risk management more broadly.
  
failure. There may also be risks associated with reliance on third parties, such as custodians, crypto infrastructure providers, exchanges and wallet providers.
 
Other risks: The capital, funding and liquidity treatment for loans secured by crypto assets may also be complex to determine and measure, and would need to be confirmed with APRA.
Crypto assets issuance
Operational risk: There are likely to be a range of operational risks to identify, assess and manage in the minting, issuance and burning of any coins, including fraud, cyber, conduct, financial crime and technology risks. The conduct risks would include important considerations around new product design and distribution. Other key considerations would include the need for robust systems for collecting, storing and safeguarding data, and a robust process for redemption.
 
Other risks: There would also be risks to consider around governance and accountabilities (in particular where there is a reliance on third parties), custody arrangements and the safeguarding of funds, capital and liquidity requirements, and recovery and resolution planning implications.
Services on crypto assets for customers
Operational risks: For services on crypto-assets more broadly, there are likely to be a range of operational risks to identify, assess and manage. Specific consideration should be given to the risks around fraud and asset security, including the potential for the loss or theft of private keys, wallets containing funds and authentication devices. Other key risks that would require strong controls include cyber, financial crime and technology risks, as well as conduct requirements around new product design and distribution.
Partnering with technology and other companies
Capital: Equity investments in entities or subsidiaries dealing directly or indirectly in crypto assets should be treated in line with existing prudential requirements.
Outsourcing: Entities should ensure that they meet the requirements that apply to the outsourcing of a material business activity, when relying on a third party as part of partnering in activities associated with crypto-assets.
[9]
Prudential Standard APS 111 Capital Adequacy: Measurement of Capital, Prudential Standard GPS 112 Capital Adequacy: Measurement of Capital, Prudential Standard LPS 112 Capital Adequacy: Measurement of Capital.