Sam Woods, chief executive of the UK Prudential Regulation Authority (PRA) has written to CEOs of banks and investment firms to remind them of their obligations under PRA rules regarding exposures to cryptoassets.
This ‘Dear CEO’ letter follows an earlier missive that Woods sent to company chief executives in 2018 communicating the PRA’s expectations of them regarding their firms’ exposures to digital assets.
The letter highlights that cryptoasset technology is enabling the creation of new financial assets and new forms of financial intermediation. The technologies backing these cryptoassets have the potential to boost the efficiency and resilience of the financial system, it notes, for example through reduced transaction costs, more choice for users and through greater interoperability between payment systems.
However, this innovation can only be sustainable, the PRA believes, if these advances are undertaken safely and accompanied by public policy frameworks that mitigate risks and ensure wider trust and integrity in the financial system.
While firms have limited exposure to cryptoassets at the current time, the PRA identifies growing interest from banks and designated investment firms in entering cryptomarkets. This may be in taking exposures as agent or principal, holding credit exposures to crypto, or in providing operational services such as custody.
These crypoasset markets, it notes, are relatively new and untested. They offer limited data history, may be characterised by high volatility, and offer risk profiles and participants that differ from other financial markets in which these firms operate.
The PRA urges firms to assess whether the risks inherent in these markets are effectively captured by their existing risk frameworks. Firms may need to adapt their risk methodologies and calibrations to ensure that they are “appropriately and prudently considering and capitalising the risks”.
The Basel Committee on Banking Supervision and other international bodies are conducting research on the risks posed to banks when participating in crypto activities. However, this work is yet to be completed and the PRA believes there “remains a need for the PRA to ensure firms are appropriately and consistently taking account of the risks in the interim”.
While no part of the current prudential framework fully captures crypto risks, the letter advises that a combination of strong risk controls, operational risk assessments, robust new product approval processes, Pillar 1 and Pillar 2 capital provisions, along with ongoing monitoring arrangements, have the potential to provide firms with an appropriate interim framework.
Looking at these recommendations selectively, the PRA advises that banks will require “strong risk controls” and may need to adapt existing risk management strategies and systems to the different risk profiles presented by cryptoasset activities, including attention to prudential, reputational and operational risk frameworks. Firms should consider use of stress tests to provide greater confidence that these risks are being captured.
Sam Woods’ letter notes that the PRA Rulebook and onshored Capital Requirements Regulation (CRR) contains some provisions to measure and mitigate risks associated with crypto activities. However, the PRA feels that it is important to remind firms of requirements for specific risks and activities — for example, participation in market-making or directly holding cryptoassets, which expose firms to market risk and counterparty risk.
Direct holdings of cryptoassets will be classified as an intangible asset under applicable accounting frameworks and will be deducted from common equity tier 1 (CET1). This is likely to present questions regarding how cryptoassets should be treated from a capital allocation standpoint when no equivalent treatment is specified in the CRR.
Operational risks are particularly relevant to some cyberasset activities which may expose firms to higher levels of cyber risk and fraud. When activities are outsourced (eg custody of crypto keys), firms need to mitigate the risks arising from the failure of that outsource partner — and the firm must maintain robust oversight of these outsourced activities.
More broadly, the letter instructs that the diversification and hedging framework adopted by firms should be conversative and reflect the potential for such relationships to deteriorate during times of financial stress.
Considered in the round, the PRA’s ‘Dear CEO’ letter reminds chief executives and their staff of risks and responsibilities that they should and, in many cases will, already be aware. It instructs firms that they need to adapt their risk methodologies, modelling procedures and capital and liquidity management to accommodate the specific risks presented by investing in, or servicing, cryptoassets.
Beyond this, it adds little that the Bank of England and PRA have not shared previously. While it uses neutral language — “firms should consider”, “we would expect firms to take into account” — there is also a cautionary tone embedded in its instructions. 'Dear CEO, we have warned you of the risks'.