- THE SUPERVISION BLOG
Mind the gap: we need better oversight of crypto activities
Blog post by Elizabeth McCaul, Member of the Supervisory Board of the ECB
Frankfurt am Main, 5 April 2023
The New York City Subway system uses “mind the gap” signs to remind passengers to beware of the space between the platform and the train.
Recent events in the world of finance have recast this warning, as gaps in oversight led to breaches, which risked ultimately leading to a systemically risky situation. The events again underscore the crucial role that sound regulation and effective supervision play in maintaining financial stability, and highlighted three principles to keep in mind when shaping crypto-asset regulations.
The first principle echoes George Santayana: “Those who cannot remember the past are condemned to repeat it.” It is important to look at the lessons learned from historical banking crises as well as recent events on both sides of the Atlantic, and to apply these lessons to the oversight of crypto markets.
The second principle is that the requirements for good governance and strong risk management reduce the risk of bank failures. The collapse of FTX showed what happens when firms don’t meet these requirements. The regulatory framework should ensure that all crypto-asset service providers (CASPs) have sound governance and risk management arrangements in place, including binding external auditing and financial disclosure requirements.
The third and final principle is that what worked for us in the past may not necessarily be fit for purpose in the future. The latest bank failures and financial market dislocations appear to indicate that we are doomed to repeat the failures of the past, these dislocations occasionally revealed new weaknesses that must be addressed. We will have to take a closer look, for example at how Silicon Valley Bank (SVB) lost $42 billion in deposits in five hours and the impact social media had in sparking a bank run, to ensure that any future regulation and supervision address these issues. We need to be thinking about how the crypto world presents new challenges.
These principles provide a useful lens for looking at the current situation and at existing efforts to regulate crypto-assets, e.g. through the application of BCBS standards and the Markets in Crypto-Asset Regulation (MiCA), and for figuring out how improve these efforts even further.
Lessons learned from recent events
In the last weeks we saw the collapse of three banks in the United States and bank rescues in both the United States and Switzerland. SVB had a high growth business model – tripling its assets between 2019 and 2022 – which presented correlation risk between its loans to tech start-ups and its deposit base. Silvergate Bank, Signature Bank and First Republic Bank were all exposed to crypto risks. We have also recently witnessed the forced sale of a global systemically important bank with a weak business model under stressed conditions to another. Neither scenario is new. We know that it is prudent for management first and foremost as well as supervisors to take steps to recognise risks related to rapid growth and to reduce risks stemming from correlation and weak business models. We need to follow the first principle and remember the lessons of the past. While the events of the last few weeks are too recent for us to fully analyse at this stage, both the Federal Reserve and the Swiss authorities will conduct careful reviews that will undoubtedly shed more light on any lessons that we should take on board.
In the banking world, we are used to a system that relies on a home-host supervision model and comprehensive consolidated supervision through supervisory colleges. But what has worked in the past may not cover us for the future. In the securities world, the recognition of regulatory equivalence regimes forms the basis for oversight. In the crypto world, no such framework exists. The collapse of FTX last November raised questions about gaps in the framework. How can we achieve consolidated oversight of firms that claim to have no headquarters at all? What does no primary jurisdiction or an unfamiliar location for a firm’s head office mean in terms of having a home country banking supervisor or an equivalence regime for securities oversight? The lack of a traditional central point of entry poses challenges for our current regulatory and supervisory approaches. Although the Financial Stability Board (FSB) and the Basel Committee on Banking Supervision (BCBS) have acknowledged the need for a global regulatory and supervisory framework for crypto-assets, I am afraid that this project is still very much in its infancy. The basis for home-host cooperation is, first and foremost, sound regulation and supervision in each jurisdiction. In the crypto world, however, the very concept of borders and jurisdictions is being challenged. How can we supervise firms that have no physical borders? We need to put more thought into imagining what international coordination will look like and how it can be effective in regulating the crypto world.
We should assess both existing laws, such as the Markets in Financial Instruments Directive (MiFID), and future ones, such as MiCA. We must make sure that we acknowledge where gaps exist in regulatory or supervisory oversight, since these gaps can lead to bank failures. Large and complex financial players, be they banks, other financial institutions or crypto firms, deserve a consolidated supervisory approach to ensure that risks do not go undetected and to prevent regulatory arbitrage.
State-of-play in the crypto market
In November 2021 bitcoin had reached an all-time high of almost $69,000. What then followed has since been dubbed the “crypto winter” with victims such as the TerraUSD stablecoin, crypto lender Celsius and hedge fund Three Arrows Capital. The turmoil continued with the collapse of FTX in November 2022 and the more recent failures of Silvergate Bank, SVB and Signature Bank. The FTX case shows that we should be wary of entities vaunting their success based on the market value of their own issued tokens. By retaining a large share of these self-issued tokens in their portfolios, they can easily pump up the price. But when those same tokens are used as collateral for borrowing, the side effects of the artificially-inflated price become evident.
So far, the impact of the crypto-asset market turmoil on the broader financial system has been limited. It has affected those who invested in crypto-assets and put pressure on certain small banks that provide banking services to crypto-asset clients, most notably Silvergate Bank but also Signature Bank, which experienced severe deposit outflows. Because of its small size and limited interlinkages with the wider market, Silvergate’s wind-down is unlikely to pose a threat to financial stability. On the whole, the direct integration of crypto-assets into the existing financial system is still negligible compared with the overall size of the banking sector. However, contagion within the crypto ecosystem has been spreading and other crypto firms have filed for bankruptcy owing to the high level of interconnectedness. The nature and scale of crypto-asset markets are rapidly evolving and could reach a point where they represent a threat to global financial stability.
Contagion can go both ways, from crypto markets to banks but also vice versa: the recent collapse of SVB and Signature Bank also spilled over to the crypto ecosystem. Circle held $3.3 billion (about 8% of its total reserves) with SVB, which put its USDC stablecoin under pressure, resulting in its briefly losing its peg along with many other stablecoins until the US authorities intervened to remove the cap for deposit guarantees at SVB. We cannot rule out the possibility that the failure of these three banks (SVB, Signature and Silvergate) could have further repercussions for the operations of some crypto-asset trading platforms and crypto firms.
European banks are not heavily invested in crypto
In Europe, banks under our supervision still have limited crypto-related activities and we have so far not observed any material exposure to stablecoins. Most banks have been hesitant to get involved in crypto due to the asset class’s unique risks and price volatility, along with regulatory uncertainties. When we surveyed banks on the risks related to providing crypto services, they also mentioned operational risks, including IT/cyber risk, reputational risk, third-party dependency as well as money laundering and terrorist financing risks.
Besides smaller specialised institutions, the biggest banks have started looking into providing crypto-related activities, such as custody and trading services, in response to growing client demand.
Banks have also started exploring the tokenisation of traditional instruments such as securities and deposits as a tool to expedite trade finance, security and repo settlements, and to boost efficiency. When considering whether to engage in tokenisation activities, a key consideration for banks is that a significant share of potential participants need to be on the same chain or infrastructure to make it efficient. Banks may therefore wait for a winning paradigm to emerge before engaging in such activities, or they may exploit the momentum to set the industry standard. From a supervisory point of view, it is important to assess these products and services based on their economic function – technology per se does not change the underlying rights or obligations.
Regulating crypto – what has already been achieved
Fortunately, in recent years we have already made substantial progress in developing crypto regulations. The BCBS’s decision last December to establish standards for the prudential treatment of crypto-asset exposures is an important milestone. The BCBS standard provides for a harmonised international regulatory and supervisory approach to banks’ crypto exposures and aims to balance responsible private sector innovation with sound bank risk management and financial stability.
The next key step is for the European Union and other Basel jurisdictions to incorporate this standard into legislation by 1 January 2025. Although the Basel standard is not yet legally binding, the ECB expects that banks hoping to engage in crypto activities will comply with the standard and take it into account in their business and capital planning. From a European perspective, the BCBS standard complements MiCA, which we expect to be adopted in the second quarter of this year.
MiCA regulates both the issuance of crypto-assets as well as the provision of crypto-assets services. Inter alia, it focuses on electronic money tokens (EMT) and asset-referenced tokens (ART), more commonly known as stablecoins.
Credit institutions do not need an additional licence to provide crypto-assets services, but they will have to comply with the market transparency requirements set out in MiCA. The European Banking Authority will supervise issuers of significant EMTs and ARTs. The EBA shall exercise its supervisory powers in close cooperation with other supervisory authorities, including the ECB. Designated national competent authorities will also supervise non-significant crypto-assets issuers and crypto service providers.
On our side, we are preparing for the new tasks to come. These include issuing opinions on authorisation requests for non-bank issuers, opinions on the significance of ARTs/EMTs or participation in colleges for significant ARTs/EMTs. Joint Supervisory Teams (JSTs) will continue to supervise the safety and soundness of banks’ crypto activities. In particular, we might ask banks to also share with us all the information they are required to share with the MiCA competent authorities. We are currently developing dedicated guidance for JSTs to support them in their assessment of the prudential implications of crypto activities to inform the Supervisory Review and Evaluation Process.
So far, our engagement with crypto-assets services has been primarily linked to licensing requests where we have also issued specific guidance to ensure a harmonised approach. The second principle I mentioned – good governance and strong risk management – will be the focus of our crypto supervisory engagement with banks. Let me outline some of the key points here.
Banks need to define their risk appetite limits before engaging in any crypto-related operations. In so doing, they should assess the adequacy of their risk management arrangements to cope with the challenges of the crypto market. They should define a clear business strategy – to be approved by the management body – and implemented by senior management.
Against this backdrop, it is essential to have clear and sound governance frameworks for developing and maintaining the IT architecture that supports the distributed ledger technologies such as blockchain used for crypto activities, including business continuity arrangements. There also needs to be special emphasis on the arrangements related to the processing and custody of crypto-assets, as well as on the management of stablecoin reserves.
Lastly, banks should put in place sound monitoring and reporting frameworks for all risks stemming from crypto-related activities. Similarly, they should establish effective risk mitigation measures to tackle cyber risk, fraud, and money laundering and terrorist financing risk.
Closing the gap
It is not enough to mind the gap – we have to work on closing it. While the new Basel standard and MiCA are important milestones, I am afraid they will not be sufficient on their own.
In 1975, shortly after the Herstatt crisis, the newly-created Basel Committee on Banking Regulations and Supervisory Practices, as it was called back then, came together and recognised the need for supervisory cooperation between home and host authorities “to ensure that no foreign banking establishment escapes supervision”. A few years later this idea was extended to become “a basic principle of banking supervision that the authorities responsible for carrying it out cannot be fully satisfied about the soundness of individual banks unless they are in a position to examine the totality of each bank’s business worldwide”.
This statement offers two important insights. First, to properly understand an entity’s risks, one needs to consider the totality of the groups’ activities and their interlinkages. Second, as the activities of these groups are global, there needs to be a framework for their global supervision. This brings me back to my third principle: what worked in the past may not work in the future.
The lesson banking supervisors learned from the failure of Herstatt – which they learned again after the failure of Bank of Credit and Commerce International – is in my view also the most important takeaway from the failure of FTX. Undoubtedly, the crypto exchange grossly violated even the most basic practices of good governance and risk management. But even if these issues had been detected, the fact remains that there was no consolidated oversight of the group’s vertical integration and its global activities in different jurisdictions. Even firms that claim to have no headquarters, such as Binance, need to be “supervisable”. In this respect, no jurisdiction should allow entities to run their business without disclosing their legal status and who is responsible for the business: the “ecosystem”’ concept touted by some complex and vertically-integrated crypto players does not align well with the concept of legal accountability.
We may also need to look at our own frameworks in the EU, including those we already have, such as MiFID, as well as those still under development, like MiCA, to close any gaps that exist.
I am proud that with MiCA Europe is taking the first steps globally to provide for oversight of the crypto world. MiCA will set out important safeguards to prevent incidents similar to the FTX case from occurring, like strong governance principles like the segregation of customer funds and requirements for external audits. Nonetheless, certain areas still need further strengthening. For example, FTX would not have been classified as a significant CASP under MiCA because it did not reach the threshold of 15 million active users. In fact Binance, which is the largest crypto player, is alleged to have between 28 million and 29 million active users worldwide, but would probably not even meet the threshold to be classified as significant in the EU. In my view, therefore, it should be evaluated whether the quantitative metrics adequately capture the significance of CASPs. This could take into account the type of business, such as volume for trading platforms or assets under custody for custodian businesses. These thresholds should also be measured at group level rather than at individual entity level.
In line with the principle of proportionality, significant CASPs should be subject to both stricter requirements and enhanced supervision: neither of the two is catered for by MiCA. Activities of complex and large CASPs are often equivalent to those of investment firms in the world of traditional finance. We think that particular attention of authorities and potentially legislators is necessary to ensure that those entities are covered by the appropriate licensing procedures, which address the inherent risks of these business models. This would ensure a level playing field while also respecting the principle of proportionality. Smaller CASPs which do not provide different services, especially those that do not offer in parallel trading platforms, exchange and custody services, could remain under the MiCA regime.
Perhaps most importantly, exchanges like FTX conduct their operations by leveraging a group structure, while MiCA applies only at the individual entity level. In my view, large players like FTX or Binance need a consolidated approach, even if this requires adjustments to existing legislation. Conflicts of interest must be identified across the group and even beyond, taking into account affiliated entities. The EBA and European Securities and Markets Authority should set up mechanisms for effective cross-border cooperation to ensure there is a sound basis for home-host supervision on which international banking is built. In addition, the requirement to establish intermediate parent undertakings should be extended to CASPs to remove opportunities for regulatory arbitrage, such as the exposure limits under the BCBS standard on crypto-assets.
“Mind the gap” is not just a warning for train passengers. It is also a call to action for policymakers and supervisors to tread carefully when we know gaps exist, and to work to close the gaps in oversight that exist in the crypto-asset market. For that reason, I think we would be well-advised to heed the lessons learned in the past and recent days on both sides of the Atlantic. This will aid us in developing strong regulatory guardrails and ensuring the “supervisability” of the sector.
See testimony on bank oversight before the US Senate Committee on Banking, Housing and Urban Affairs by Vice Chair for Supervision Michael S. Barr.
In June 2022 FTX extended a $400 million credit facility to the failed crypto lender BlockFi, which subsequently borrowed $275 million. In addition, FTX was granted the option to buy BlockFi for up to $240 million. In a similar vein, the subsequently failed lending unit Genesis had a $2.5 billion exposure to Alameda, the asset manager closely linked to FTX. While the position was closed out in August after FTX’s collapse in November, about $175 million worth of Genesis assets were still “locked” on FTX’s platform according to the company.
ECB Banking Supervision (2023), “Crypto-assets: a new standard for banks”, Supervision Newsletter, 15 February.
See BCBS (1975), “Report on the Supervision of Banks' Foreign Establishments – Concordat”, September.
See BCBS (1979), “Consolidated Supervision of Banks' International Activities”, March.
The 15 million active user threshold equates to approximately 3.4% of the EU population.