Dear crypto-assets… APRA’s expectations and the policy roadmap ahead

By John Bassilios

After announcing that crypto-asset regulation would be an area of focus for 2022, the Australian Prudential Regulation Authority (APRA) has published an open letter, ‘Crypto-assets: Risk management expectations and policy roadmap’, to all APRA-regulated entities. Speaking earlier this month, APRA Chair Wayne Byres said that ‘finding that Goldilocks point for regulation – not too much, not too little – so as to allow the digitisation of finance to generate maximum economic benefit, but doing so within society’s risk tolerance, is what we strive for’.

The letter is consistent with this measured approach, outlining a four-year plan of policy initiatives including a series of consultations and collaboration with other agencies. The letter also sets out APRA’s interim expectations for how entities will approach risk management when engaging with crypto-assets.

APRA’s expectations: risk management

Effecting authorised deposit-taking institutions (ADIs), and the superannuation and insurance industries, the letter outlines APRA’s expectations that due to the novelty and potential volatility of crypto-assets that entities will adopt a ‘prudent’ approach to risk management and seek to understand and manage risks before launching new crypto-asset initiatives. In particular, APRA notes that operational risks including fraud, cyber, anti-money laundering and counter-terrorism financing (AML/CTF) and technology are particularly important for entities looking to engage with crypto-assets.

In applying a prudent approach to crypto-asset risk, APRA expects that entities will:

• conduct due diligence and complete a comprehensive risk assessment before engaging with crypto-assets;
• ensure that they have a thorough understanding of the risks associated with the activities proposed to be undertaken, and take have processes in place to mitigate those risks;
• not just limit risk assessments to new risks only, but also include assessments of how new activities will impact existing operational risk assessments and whether existing internal controls should be modified to accommodate any changes;
• consider obligations under Prudential Standard CPS 231 Outsourcing or Prudential Standard SPS 231 Outsourcing when relying on third-parties; and
• apply the appropriate risk management controls with clear accountability and reporting processes. APRA provides specific instruction for ADIs that crypto-asset accountabilities should be assigned to Banking Executive Accountability Regime (BEAR) Accountable Persons and that related accountability statements should be modified to reflect the new responsibilities.

APRA also provides a preliminary analysis of the risks associated with crypto-assets including:

• holding sufficient capital, taking into consideration how different crypto-assets may be distinguished in the future.
• ensuring that entities that invest in crypto-assets have robust investment strategies and can demonstrate that investments are in the best interests of members.
• credit risk management where crypto-assets are used as collateral, noting potential difficulties around volatility, valuation accuracy and the ability to claim on security.
• considering how crypto-assets may impact existing risk management assessments including in relation to liquidity, markets, concentration and operational risks.
• fraud and asset security as specifically applied to crypto-assets, including the management of private keys, authentication and governance.

Noting that the Australian Securities and Investment Commission (ASIC) has already released guidance for entities engaging with crypto-assets in ASIC Information Sheet 225, APRA also expects that entities will proactively seek advice from both APRA and ASIC to ensure that they fully understand their obligations under both regulatory regimes.

Policy roadmap

The letter also provides an outline for the development of a new prudential policy framework to be completed by 2025 as a part of APRA’s broader goals to modernise its policy and supervision infrastructure. In developing the crypto-asset policy framework, APRA will continue to collaborate with international regulatory bodies including the Basel Committee on Banking Supervision to ensure that Australia’s approach is consistent with international standards as they develop.

In the period ahead, APRA has planned the following activity:

• crypto-activities: undertake domestic consultations following the conclusion of the Basel Committee’s current enquiries. APRA does not expect to be able to begin these consultations until 2023, and has flagged that it will consider whether interim guidance is required.
• operational risk standards: APRA expects to release draft prudential standards for consultation mid-2022 that will cover control effectiveness, business continuity and service provider management. According to the timeline set out in the letter, the operational risk prudential standard will become effective in 2024.
• stablecoins: APRA will consider possible approaches to the prudential regulation of payment stablecoins (crypto-assets that are backed by stabilisation mechanisms). APRA notes that the Council of Financial Regulators (CFR), consisting of APRA, ASIC, the Reserve Bank of Australia and the Treasury, consider these stablecoin arrangements to be similar to existing Stored-Value Facilities (SVF).

The CFR published a report on the regulation of SVF in 2020 that is expected to be implemented by the Government under the payments licensing framework announced in December 2021. Because of these similarities, APRA and the CFR are working to incorporate stablecoins into existing proposals for SVF regulation, undertaking consultations with a view to implementing an SVF standard in 2025.

These consultations will form part of the Government’s broader reforms, including Treasury’s recently released consultation on the proposed licensing and custody requirements for crypto-asset secondary service providers. While the upcoming federal election casts some doubt over the Government’s plans, Shadow Assistant Treasurer and Shadow Minister for Financial Services and Superannuation Stephen Jones stated that ‘the broad principles we would take to crypto regulation is safety and transparency… That inevitably leads to greater regulation of exchanges’, though it remains to be seen whether and how this approach differs from current plans.

This article was written with the assistance of Eric Lay, Law Graduate.