FSOC REPORT ON DIGITAL ASSETS: MITIGATE CRYPTO RISKS THROUGH REGULATORY OVERSIGHT

Congress Prompted to Fill the Gaps with Legislation

On October 3, 2022, as lawmakers in the United States continue to debate which agencies should regulate crypto-based activities, the Financial Stability Oversight Council (FSOC) released its Report on Digital Asset Financial Stability Risks and Regulations (the Report).^[1] The Report highlights how several key features of “crypto-assets,” such as crypto’s near immutability, automation and consumer accessibility, can pose risks to consumers, investors and institutions. In sum, the Report finds six main financial stability vulnerabilities connected to crypto-assets.

Though these risks are diverse, and many could have system-wide effects, FSOC asserts that many crypto-asset services are similar to existing financial services. Accordingly, several current regulatory structures could effectively manage these risks—so long as crypto businesses are willing to comply. For those risks that are truly unique to crypto-assets, the Report proposed that Congress enact legislation to lay the foundation for comprehensive regulatory schemes to address the current regulatory gaps and prevent systemic risk build-up.

Risks Connected to the Crypto-Asset Ecosystem, External and Internal

The six financial stability vulnerabilities identified in the Report fit into two categories: risks resulting from the crypto-asset ecosystem’s entanglements with the traditional financial system and those risks contained within the crypto-asset ecosystem.

The Report emphasizes that the most important financial stability consideration is the risk of connecting crypto-asset market participants, service offerings and technologies with the traditional financial system. Stablecoin assets, the values of which are inherently tied to national currencies or other reference assets, are of particular concern. Substantial stablecoin growth and a subsequent stablecoin run could dislocate the traditional asset market, according to the Report. The response to such a run would be largely unregulated, hindered by the opacity of the system and could be mismanaged—all leading to contagion.

In addition to stablecoin concerns, the Report finds that new crypto-asset-based products and services in banking, investments and insurance also increase the risk of financial instability. The Report posits that, although sparsely offered now, new robust avenues for exposure to crypto-assets, such as crypto-backed mortgages and the increased adoption of crypto payments, are constantly in development. As these new exposures increase, so too will the interconnectedness of crypto-assets and the traditional financial markets, increasing the likelihood of financial instability, warns the Report.

Vulnerabilities contained in the crypto-asset ecosystem are more acute, but could also pose considerable risks, especially as the crypto-asset market continues to grow. These risks are further divided into five groups: price volatility, internal financial exposures, operational mechanics, funding mismatches/runs and leverage.

According to the Report, these risks are exacerbated by the speculative nature of crypto-assets and the associated inability to accurately prescribe fundamental economic value to this asset class. On this note, the Report emphasized the “gamification” of crypto-asset markets, which may lower retail participants’ expectations for disclosures and compliance with investor protection rules.

Additionally, FSOC warned that the interconnections within the crypto-asset ecosystem exacerbate the effects of fragmented and tightening market liquidity across crypto native platforms, increasing the risk of widespread loss during a financial shock. The Report also highlights operational vulnerabilities, specifically disruptions in the deployed code caused by bugs, technological issues caused by the concentration of mining and malicious attacks on infrastructure service providers. Decentralization could complicate, or even prevent, an intervention to address any of these vulnerabilities from both a technological and a regulatory perspective.

Addressing Risks through Current Regulatory Frameworks

The Report states that many of the services provided by crypto-asset firms and businesses are not actually novel, even if the technology is. Therefore, current regulatory requirements could reduce many of the risks currently associated with crypto-assets. Federal regulators have anti-money laundering, cybersecurity, custody, clearing and other equivalent requirements. Additionally, the current regulations provide guardrails to help prevent runs, like SIPC insurance for brokerage accounts and FDIC insurance for deposit accounts. Further, the Fed, the CFTC and the SEC monitor and restrict certain leverage activities on registered exchanges. Noncompliance with these requirements can lead to exams and enforcement actions.

The Report recognizes that banks and financial institutions regulated by the FDIC, OCC and the Fed are subject to a wide array of regulations and related guidance on crypto-assets. Banks may only engage in activities that are permissible under law and conducted in a safe and sound manner, and affiliates held by bank holding companies have additional activity restrictions. Further, banks are subject to prudential oversight of their activities, including frequent supervision, examination and enforcement.

All three agencies have issued interpretive letters on permissible crypto-related activities for the banks they supervise. For example, banks supervised by the OCC may, with the receipt of written non-objection from the OCC, hold deposits as reserves for stablecoins and provide cryptocurrency custody services.^[2]

Additional regulators, such as the National Credit Union Association and state regulators, have issued various guidance letters implying that their regulated entities may engage in crypto-related activities. Other state regulators have gone further and created charters or licenses for crypto-asset businesses, discussed further below.

For non-banks, the Report states that some crypto-assets are securities regulated by the SEC, while other crypto-assets are commodities (in which case, derivatives relating to such crypto-assets would be regulated by the CFTC).^[3] The Report asserts, based on the number of recent enforcement actions and independent analysis, that many current crypto-asset firms and businesses should be complying with current SEC or CFTC regulations but are instead avoiding these regulations in part or in whole.

The offer or sale of a security must either be registered with the SEC or exempt from registration under the Securities Act of 1933, as amended. Likewise, an exchange that lists securities must be registered with the SEC. According to the SEC and the Report, many crypto-assets are securities.^[4] The SEC has brought many enforcement actions against the sale of such assets,^[5] but both the SEC and the Report imply that the number of crypto-firms and businesses out of compliance is much higher than the number of enforcement actions brought.

The CFTC regulates most commodity derivatives transactions, including those derivatives transactions that involve “virtual currencies.” Though the CFTC regulations do not treat crypto-assets differently from other commodities, the CFTC has issued guidance to exchanges and clearinghouses that certain products and activities require enhanced attention when they involve a virtual currency. These areas include enhanced market surveillance, coordination with the CFTC staff and outreach to stakeholders. The CFTC has brought enforcement actions against entities in the crypto-asset space for fraud, consumer protection failures and failure to list on an exchange or register as a futures commission merchant.

Some states are also active in regulating crypto-assets. For example, New York-chartered businesses may engage in “virtual currency” activities with the approval and oversight of the New York Department of Financial Services (NYDFS). Additionally, any company engaging in crypto-asset activities in New York must obtain a “BitLicense.” In other states, crypto-asset activities may be regulated as money services businesses, though this usually only applies to money transmission and is not comprehensive regulatory supervision.

Accordingly, the Report recommends that the above current regulatory schemes continue to be enforced and that crypto-asset firms and businesses to whom these frameworks apply be brought into compliance. Compliance with these established regulatory regimes, according to the Report, could address risks related to interconnection with the traditional financial market, operational vulnerabilities, volatility in crypto prices, funding mismatches and runs and leverage.

Regulatory Gaps and How to Fill Them

Despite these existing, robust regulatory frameworks, the Report identified three regulatory gaps and suggested Congress take comprehensive action to fill these gaps.

First, federal regulation does not apply to spot markets for crypto-assets that are not securities, like Bitcoin, even when crypto-asset platforms engage in activities that would be regulated in other markets, like providing custodial services for crypto-assets. To avoid fraud and other risks, the Report recommends that Congress give federal financial regulators jurisdiction over these spot markets. This jurisdiction should include the authority to address conflicts of interest, abusive trading practices, cybersecurity, custody, settlement and many other areas of inherent risk.

Second, crypto-businesses are subject to piecemeal regulation based on their activities or their affiliates’ activities. No one regulator has full insight into the business. This gap allows crypto-businesses to engage in “regulatory arbitrage” and avoid certain regulatory requirements. The Report recommends that Congress give regulators the authority to supervise activities of all affiliates and subsidiaries of a crypto-asset entity. In the meantime, the Report recommends regulators coordinate with each other and with law enforcement to get a more holistic picture of the business and to enforce existing regulations as they may apply. Further, the Report recommends that Congress “create a comprehensive federal prudential framework for stablecoin issuers” that addresses the risks associated with crypto-assets.

Lastly, unregulated vertical integration of crypto-asset trading platforms directly exposes retail investors to risks that they might be protected from on other more traditionally siloed trading platforms. Without regulated intermediaries, and with automated closing, retail investors are more directly impacted by volatility, mistakes and hacks. To address these risks, the Report recommends that agencies analyze the impact of vertical integration and whether it is a model that can or should be supported by existing laws.

Conclusion

Crypto-asset regulation has been publicly in the eye of FSOC and other U.S. regulators and legislators since at least 2014. As the technology has developed, U.S. regulators have advocated for applying existing frameworks to where feasible and filling the gaps with legislation and new regulations.

The U.S. is not alone on this front. Due to their decentralized nature, crypto-asset markets face similar risks to those identified by FSOC, but on a global scale. International standard setting organizations are also developing rules to prevent shocks to the global financial system. Similar to FSOC’s recommendations, members of the Financial Stability Board have suggested that most crypto-asset markets should be subject to the rules of traditional finance. To assist in applying regulatory oversight, whether current or yet to be written, the Basel Committee on Bank Supervision has proposed a system of classification for crypto-assets to ensure more uniform regulation across groups of assets and across Basel Committee members.

Special thanks to associate Jordan Briggs (New York-Financial Institutions Advisory & Financial Regulatory) and Derivatives Intern Nick Agostino, who contributed to this publication.