Global standard-setter highlights key risks of cryptoasset trading platforms

IOSCO’s Report on CTPs

On 12 February 2020, the International Organisation of Securities Commissions (IOSCO) published a report which is likely to influence the approach regulators take when dealing with crypto exchanges and other providers, defined as cryptoasset trading platforms (CTPs) by IOSCO.

The report sets out key issues and risks associated with CTPs to assist regulatory authorities in regulating these. Cryptoassets are one of IOSCO’s board priorities for 2020, and it is clear that they have identified several crypto specific risks which regulators should be focusing on going forward.

As a body whose members include the US SEC and other influential regulators, a collective membership thatregulates more than 95% of the world’s securities markets in over 115 countries, IOSCO’s opinion over the cryptoasset landscape will certainly influence the regulatory direction of travel.

If it is a security — IOSCO principles apply

One thing is clear, where an authority determines that a cryptoasset or activity falls within its jurisdiction (think ‘security’ tokens, which meet the legal definition of a security or ‘financial instrument’ in the EU) the IOSCO objectives and principles will provide useful guidance in considering the issues and risks that arise in this market.

IOSCO’s securities regulation core objectives are to protect investors and ensure that markets are fair, efficient and transparent. This can equally be applied to crypto activities.

As things stand, IOSCO is not calling for payment or utility tokens to be brought in scope of securities regulatory frameworks, however, they do highlight the different approaches being taken worldwide to cryptoassets and CTPs as a whole. These include:

1) Applying existing frameworks;

2) Adapting existing frameworks when cryptoassets are involved;

3) Introducing a new regulatory framework;

4) Banning trading of cryptoassets outright.

Jurisdictions are likely to either tailor or introduce new frameworks for cryptoassets given the unique risks involved, many of which are highlighted in the report. Furthermore, given that the market is new and rapidly evolving, IOSCO is committed to continue monitoring developments and to adjust the suggested responses accordingly. I would strongly advise interested parties to monitor further statements and publications by IOSCO.

The standard setting body stresses the importance of sharing of information between regulators given the cross-border and 24/7 nature of crypto markets. We can expect regulators to talk to each other a lot more and begin to apply a more uniform approach as the industry develops further and IOSCO continues to push for common standards in this space.

Key considerations and themes

A number of key considerations and themes emerge from the IOSCO report. Some of these are common in securities regulation, however the risk is enhanced in the case of CTPs. In other cases IOSCO highlights unique risks presented by the crypto world, such as hard-forks, airdrops and 51% attacks. It is evident that IOSCO has done its crypto homework, and that the unique crypto risks identified will undoubtedly be placed under the regulatory lens going forward.

The key considerations highlighted by IOSCO:

• Access to CTPs;
• Safeguarding participant assets;
• Conflicts of interest;
• Operations of CTPs;
• Market integrity;
• Price discovery;
• Technology; and
• Clearing and settlement

The above are explained in detail in the report and have been summarised below, including the potential impact to CTPs.

1. Access to Cryptoasset Trading Platforms

Risk

Focus on the on-boarding process and how it is performed, mainly from an AML/CFT perspective but also touches on investor protection.

IOSCO highlights that in the traditional space, trading venues do not provide direct (non-intermediated) access to retail customers. Consideration of whether CTPs are undertaking investor suitability assessments prior to account opening is also highlighted to ensure that investors are participating in asset classes that match their financial situation/risk tolerance.

Appropriate risk disclosures are also mentioned. IOSCO considers that, if retail investors are being accepted, there may be a need to enhance fairness and transparency.

Impact

Most CTPs which are regulated should have sound on-boarding processes and apply due diligence to comply with AML/CFT obligations. Many CTPs will provide direct access to retail customers, and regulators are likely to focus on investor suitability and protection, requiring firms to further understand customers’ financial position and risk tolerance levels. CTPs must ensure risk disclosures are prominent and clear to customers. When moving from an unregulated space to the regulated world, there are likely to be gaps in a CTP’s processes and procedures, especially when dealing with retail clients.

2. Safeguarding Participant Assets

Risk

A key difference between CTPs and traditional securities trading platforms, is that most CTPs involve custody of customer assets, which could include cryptoassets and/or fiat currency. According to the report, this difference raises “new issues or potential risks for regulatory authorities to consider”.

A number of specific safeguarding risks are highlighted, including operational failure due to cyber-attacks, theft, loss or inaccessibility of private keys, risks from co-mingling of assets, inaccurate record-keeping and insufficient assets to meet liabilities and therefore withdrawal demands.

The second element of this risk focuses on firms having sufficient financial resources to protect against bankruptcy or insolvency. This is usually reserved for intermediaries that hold investor assets in the ‘old world’; however, is very much relevant to CTPs.

Impact

IOSCO stresses the importance of making arrangements to safeguard assets, including segregation and identification of assets. Therefore, CTPs will have to up their game and implement safeguarding standards.

It is clear that regulators are improving their technical knowledge of crypto related activities, they will be scrutinising hot and cold storage, and backup arrangements regarding access to private keys. Firms will need to clearly demonstrate that security measures are in place and that customer cryptoassets are protected, with redundancies and backups to reduce the risk of loss and theft of private keys.

Firms will need to demonstrate that they have sufficient financial resources, so it is likely that capital requirements will be introduced, or increased for CTPs.

3. Conflicts of Interest

Risk

As with most regulated industries, conflicts of interest if unmitigated can cause harm. IOSCO highlights that many firms are providing end to end services which in the past have been undertaken by multiple parties, for example, the admittance and trading of the cryptoasset, settlement, custody, market-making and advisory services. This increases the risk of conflicts, especially as CTPs could have multiple roles as a profit seeking entity which is undertaking traditional regulatory functions such as surveillance of trading or listing functions.

Impact

The impact on CTPs should not be major, as every company should keep conflicts of interest to a minimum. However, this could result in further scrutiny if firms fail to manage conflicts appropriately. Long term, there may be pressure for certain activities to be split, however it is still early to determine if this is the direction of travel.

4. Description of CTP Operations

Risk

This focuses on risks arising due to a lack of understanding of the CTP’s operations. This will be apparent when there is an absence of clear and transparent rules, policies or other documentation.

IOSCO stresses that CTPs should provide clear order execution rules, as well as cancellation procedures. These should prevent certain prohibited activities in traditional securities regulation such as client precedence or front running.

IOSCO also highlights that the use of DLT may limit the ability to cancel or modify trades once verified on the ledger. As a result, the way in which CTPs handle error trades, cancellations and modifications will be important considerations. Other unique DLT related concerns are stressed, such as how exchanges deal with hard forks, airdrops and other issuances which could present operational challenges for CTPs.

Impact

Transparency of trading operations is important, especially when dealing with retail investors.

Many CTPs are unlikely to have sufficient descriptions of how they deal with the crypto specific risks such as hard forks and airdrops. This should be included in the T&Cs and other information provided to clients.

5. Market Integrity

Risk

Here the focus is on market integrity issues. Those active during the pumps and dumps of the ICO era will be aware of the different ways in which cryptoassets can be manipulated.

IOSCO is calling for regulators to ‘assess the reliability of arrangements made by operators for monitoring, surveillance and supervision of the exchange or trading system and its members or participants to ensure fairness, efficiency, transparency and investor protection.’

IOSCO highlights some unique elements to be considered by regulators, such as high price volatility, which, when combined by 24 hours a day trading and lack of consistent pricing sources makes surveillance a bigger challenge.

Impact

As it stands many CTPs will have limited monitoring and surveillance capabilities of trading activity. This is likely to be an area of development and could ultimately increase compliance costs for CTPs. Transparency of trading activity is also an area of focus.

6. Price Discovery

Risk

IOSCO emphasises the importance of transparency of trading whilst acknowledging that it may be premature to determine the appropriate level of transparency at this stage. This will continue to be monitored.

Impact

CTPs should monitor IOSCO developments in this area.

7. Technology

Risk

This section focuses on the importance of resilience, integrity and reliability of critical systems, stressing its significance due to the custody function undertaken by many CTPs. There is a section on the importance of retention of responsibility, even when certain functions are outsourced.

Impact

CTPs have demonstrated to have a good grasp of technology, especially given the increased risk of cyber-attacks. When outsourcing, firms should ensure that sound SLAs are in place and ensure that they have effective oversight and keep ultimate responsibility of the function.

8. Clearing and Settlement

Risk

IOSCO acknowledges that certain DLT platforms could increase the efficiency of existing clearing systems; however, there are new considerations that regulators should bear in mind. IOSCO yet again highlights the fact that many TCPs undertake activities that are performed by multiple intermediaries in the ‘old world’.

Policies and procedures that consider crypto related issues are highlighted. This includes instances such as confirming who would be responsible for issues that could arise in the case of a 51% attack, which could take place during the transfer process.

Impact

The way in which settlement finality is reached when recording transactions in a distributed ledger is important and can vary. There would need to be a clear understanding of when the legal transfer of ownership of cryptoassets occurs when trading on a CTP. This should be explicit in the CTP policies, procedures and specifically covered in the Ts&Cs.

Conclusion

It is clear that there are a number of unique risks when regulating cryptoasset trading platforms. These risks have been considered in depth by IOSCO, which is evidently developing its thinking around cryptoassets and is pushing for policy development in key areas.

Although IOSCO does not call for cryptoassets that are ‘outside scope’ of securities regulation to be placed under the existing regime, it will be interesting to see how different jurisdictions will approach crypto markets in 2020 and beyond.

The enhanced focus on CTPs from IOSCO means that regulators will be seriously considering the risks that have been highlighted, and we may see jurisdictions taking a more proactive stance in regulating cryptoassets generally.