Subscribe to our InfoBytes Blog weekly newsletter and other publications for news affecting the financial services industry.
Republican lawmakers ask about risks of customers’ digital assets on balance sheets
On March 2, Senator Cynthia M. Lummis (R-WY) and Representative Patrick McHenry (R-NC) sent a letter to the Federal Reserve Board, FDIC, OCC, and NCUA requesting input on SEC guidance issued last year that directs cryptocurrency firms to account for customers’ digital assets on their balance sheets. Last April, the SEC issued Staff Accounting Bulletin No. 121 (SAB 121), covering obligations for safeguarding crypto-assets held by entities for platform users. Among other things, SAB 121 clarified that entities should track customer assets as a liability on their balance sheets. “[A]s long as Entity A is responsible for safeguarding the crypto-assets held for its platform users, including maintaining the cryptographic key information necessary to access the crypto-assets, the staff believes that Entity A should present a liability on its balance sheet to reflect its obligation to safeguard the crypto-assets held for its platform users,” SAB 121 explained.
Claiming that SAB 121 “purports to require banks, credit unions and other financial institutions to effectively place digital assets on their balance sheets,” the lawmakers argued that this “would trigger a massive capital charge,” and in turn would likely prevent regulated entities from engaging in digital asset custody. Rather, regulators should encourage regulated financial institutions to offer digital asset services, since they are subject to the highest level of oversight, the letter said. Among other things, the letter asked the regulators whether the SEC contacted them prior to issuing the guidance, and if they have directed regulated financial institutions to comply with SAB 121. The lawmakers also inquired whether the regulators “agree that SAB 121 potentially weakens consumer protection by preventing well-regulated banks, credit unions, and other financial institutions from providing custodial services for digital assets[.]” The letter pointed to the bankruptcy case of a now-defunct crypto lender, which classified all customers as unsecured creditors, as an example of the legal risk of requiring customer custodial assets be placed on an entity’s balance sheet. “SAB 121 places customer assets at greater risk of loss if a custodian becomes insolvent or enters receivership, violating the SEC’s fundamental mission to protect customers,” the lawmakers wrote.
Treasury seeks to advance CBDCs
On March 1, Treasury Undersecretary for Domestic Finance Nellie Liang announced that the Treasury Department will lead a new senior-level working group to advance work on a U.S. central bank digital currency (CBDC). As previously discussed in a Treasury report released last September on the future of money and payments (covered by InfoBytes here), Treasury was called to lead an interagency working group to complement work undertaken by the Federal Reserve Board to consider the implications of a U.S. CBDC. The working group will consist of leaders from Treasury, the Fed, and White House offices, including the Council of Economic Advisors, National Economic Council, National Security Council, and Office of Science and Technology Policy. In the coming months the working group “will begin to meet regularly to discuss a possible CBDC and other payments innovations,” Liang said during a workshop titled “Next Steps to the Future of Money and Payments.” The working group will focus on three main policy objectives: (i) how a U.S. CBDC would affect U.S. global financial leadership; (ii) potential national security risks posed by a CBDC; and (iii) the implications for privacy, illicit finance, and financial inclusion if a CBDC is created.
To support discussions on a possible CBDC and other payment innovations, Liang said the working group will develop an initial set of findings and recommendations. Those findings and recommendations may relate to whether a U.S. CBDC would help advance certain policy objectives, what features would be required for a U.S. CBDC to advance these objectives, choices for resolving CBDC design trade-offs, and areas where additional technological research and development might be useful.
Liang commented that the working group will also “engage with allies and partners to promote shared learning and responsible development of CBDCs.” She pointed out that CBDC efforts are already underway in jurisdictions around the world, with 11 countries already having fully launched CBDCs, “while central banks in other major jurisdictions are researching and experimenting with CBDCs, with some at a fairly advanced stage.” Liang stressed that regardless of whether a CBDC is adopted in the U.S., the country “has an interest in ensuring that CBDCs interact safely and efficiently with the existing financial infrastructure; that they support financial stability and the integrity of the international financial system; that global payment systems are efficient, innovative, competitive, secure, and resilient; and that global payments systems continue to reflect broader shared democratic values, like openness, privacy, accessibility, and accountability to the communities that rely upon them.”
Biden administration releases National Cybersecurity Strategy
On March 2, the Biden administration announced the release of its National Cybersecurity Strategy (Strategy) in a continued effort to provide a safe and secure digital ecosystem for Americans. The Strategy, which expands on other steps taken by the administration in this space (covered by InfoBytes here), focuses on several key pillars for building and enhancing collaboration, including:
- Defending critical infrastructure. The Strategy will expand the use of minimum cybersecurity requirements in critical sectors, harmonize regulations to reduce compliance burdens, ensure public-private collaboration is able to defend critical infrastructure and essential services, and defend and modernize federal networks and incident response policies.
- Disrupting and dismantling threat actors. Under the Strategy, tools will be strategically employed to disrupt adversaries, and the private sector will be used to disrupt activities. Ransomware threats will also be addressed through a comprehensive federal approach “in lockstep” with international partners.
- Shaping market forces to drive security and resilience. In an effort “to reduce risk and shift the consequences of poor cybersecurity away from the most vulnerable,” the Strategy proposes to (i) promote privacy and security of personal data; (ii) “[shift] liability for software products and services to promote secure development practices”; and (iii) ensure investments in new infrastructure are supported by federal grant programs.
- Investing in a resilient future. The Strategy promotes coordinated, collaborative actions for reducing systemic technical vulnerabilities across the digital ecosystem and improving resiliency against transnational digital repression. The Strategy also prioritizes cybersecurity research and development for emerging technologies, including postquantum encryption, digital identity solutions, and clean energy infrastructure, and stresses the importance of developing a diverse, robust national cyber workforce.
- Forging international partnerships to pursue shared goals. The Strategy intends to leverage international coalitions and partnerships to counter threats to the digital ecosystem through the use of joint preparedness, response, and cost imposition, which will enable partners to better defend themselves against cyber threats. The U.S. will also work with international partners to create secure, reliable global information and communications technology supply chains and operational technology products and services.
While “next-generation technologies are reaching maturity at an accelerating pace, creating new pathways for innovation while increasing digital interdependencies,” the announcement warned that state and non-state actors are developing and executing campaigns that threaten the digital ecosystem. The Biden administration’s Strategy aims to address those threats.
Agencies warn banks of crypto-asset liquidity risks
On February 23, the FDIC, Federal Reserve Board, and OCC released a joint statement addressing bank liquidity risks tied to crypto-assets. The agencies warned that using sources of funding from crypto-asset-related entities may expose banks to elevated liquidity risks “due to the unpredictability of the scale and timing of deposit inflows and outflows.” The agencies addressed concerns related to deposits placed by crypto-asset-related entities for the benefit of end customers where the deposits may be influenced by the customer’s behavior or crypto-asset sector vulnerabilities, rather than the crypto-asset-related entity itself, which is the bank’s direct counterparty. The agencies warned that the “uncertainty and resulting deposit volatility can be exacerbated by end customer confusion related to inaccurate or misleading representations of deposit insurance by a crypto-asset-related entity.” The agencies also addressed issues concerning deposits that constitute stablecoin-related reserves, explaining that the stability of these types of deposits may be dependent on several factors, including the “demand for stablecoins, the confidence of stablecoin holders in the stablecoin arrangement, and the stablecoin issuer’s reserve management practices,” and as such, may “be susceptible to large and rapid outflows stemming from, for example, unanticipated stablecoin redemptions or dislocations in crypto-asset markets.”
The agencies’ statement reminded banking organizations to apply effective risk management controls when handling crypto-related deposits, commensurate with the associated liquidity risk of those deposits. The statement suggested certain effective risk management practices, which include: (i) understanding the direct and indirect drivers of potential deposit behavior to ascertain which deposits are susceptible to volatility; (ii) assessing concentrations or interconnectedness across crypto deposits, as well as the associated liquidity risks; (iii) incorporating liquidity risks or funding volatility into contingency funding planning; and (iv) performing robust due diligence and ongoing monitoring of crypto-asset-related entities that establish deposit accounts to ensure representations about these types of deposit accounts are accurate. The agencies further emphasized that banks are required to comply with applicable laws and regulations, including brokered deposit rules, as applicable, and Call Report filing requirements. The joint statement also reminded banks that they “are neither prohibited nor discouraged from providing banking services to customers of any specific class or type, as permitted by law or regulation.”
As previously covered by InfoBytes, the agencies issued a statement in January highlighting key risks banks should consider when choosing to engage in cryptocurrency-related services.
Illinois announces new consumer protections for digital assets, proposes new money transmitter licensing provisions
On February 21, the Illinois Department of Financial and Professional Regulation (IDFPR) announced several legislative initiatives to establish consumer protections for cryptocurrencies and other digital assets and provide regulatory oversight of the broader digital asset marketplace. The Fintech-Digital Asset Bill (see HB 3479) would create the Uniform Money Transmission Modernization Act and provide for the regulation of digital asset businesses and modernize regulations for money transmission in the state. Among other things, the Fintech-Digital Asset Bill would require digital asset exchanges and other digital asset businesses to obtain a license from IDFPR to operate in the state. The bill also establishes various requirements for businesses, including investment disclosures, customer asset safeguards, and customer service standards. Companies would also be required to implement cybersecurity measures, as well as procedures for addressing business continuity, fraud, and money laundering. Notably, the Fintech-Digital Asset Bill replaces and supersedes the Transmitters of Money Act (see 205 ILCS 657) with the Money Transmission Modernization Act, in order to harmonize the licensing, regulation, and supervision of money transmitters operating across state lines. Provisions also amend the Corporate Fiduciary Act to allow for the creation of trust companies for the special purpose of acting as a fiduciary to safeguard customers’ digital assets, the announcement noted.
The Consumer Financial Protection Bill (see HB 3483) would grant the IDFPR authority to enforce the Fintech-Digital Asset Bill and strengthen the department’s authority and resources for enforcing existing consumer financial protections. Modeled after the Dodd-Frank Act, the Consumer Financial Protection Bill empowers the IDFPR with the ability to target unfair, deceptive, and abusive acts and practices by unlicensed financial services providers. The bill creates the Consumer Financial Protection Law and the Financial Protection Fund, and establishes provisions related to supervision, registration requirements, consumer protection, cybersecurity, anti-fraud and anti-money laundering, enforcement, procedures, and rulemaking. The Consumer Financial Protection Bill also includes provisions concerning court orders, penalty of perjury, character and fitness of licensees, and consent orders and settlement agreements, and makes amendments to various application, license, and examination fees. The bill does so by amending the Collection Agency Act, Currency Exchange Act, Sales Finance Agency Act, Debt Management Service Act, Consumer Installment Loan Act, and Debt Settlement Consumer Protection Act.
DFPI launches crypto scam tracker
On February 16, the California Department of Financial Protection and Innovation (DFPI) launched a database to help consumers in the state spot and avoid crypto scams. The Crypto Scam Tracker compiles details about apparent crypto scams identified through a review of public complaints submitted to the DFPI, and is searchable by company name, scam type, or keywords. “Through the new Crypto Scam Tracker, combined with rigorous enforcement efforts, the DFPI is committed to shining a light on these ruthless predators and protecting consumers and investors,” DFPI Commissioner Clothilde Hewlett said in the announcement.
NYDFS adds enhancements for detecting virtual currency fraud
On February 21, NYDFS Superintendent Adrienne A. Harris announced enhancements to the Department’s ability to detect fraud in the virtual currency industry. The new enhancements will improve NYDFS’s ability to combat financial crime and detect illegal activity among state-regulated entities engaged in virtual currency activity through new insider trading and market manipulation risk monitoring tools. Specifically, the enhancements will strengthen NYDFS’s virtual currency supervision and aid the Department in detecting potential insider trading, market manipulation, and front-running activity associated with regulated entities’ and applicants’ exposure or potential exposure to listed virtual currency wallet addresses. The announcement builds upon recently issued guidance related to the use of blockchain analytics tools, the issuance of U.S. dollar-backed stablecoins, and custodial guidance on crypto insolvency, as well as guidance for addressing measures for preventing market manipulation. (Covered by InfoBytes here, here, here, and here.)
Treasury official highlights fintech, crypto assets, and cloud services challenges
On February 15, Treasury Assistant Secretary for Financial Institutions Graham Steele delivered remarks before the Exchequer Club of Washington, D.C., during which he discussed the U.S. Treasury Department’s financial institutions agenda on fintech, cryptocurrency, and cloud service providers. Stating that “significant potential exists to harness the underlying technology in fintech, digital assets, and cloud services adoption,” Steele cautioned that there exist common risks across these spaces related to inadequate oversight, excessive concentration, and consumer harms.
With respect to nonbanks and fintech, Steele noted that participation by nonbanks in financial services is a key priority for Treasury. He commented that while nonbanks add diversity and competition pressure to consumer finance markets, they “have largely not been subject to the kind of comprehensive regulation and supervision to which banks are subject,” which has created numerous “risks related to regulatory arbitrage, data privacy and security, bias and discrimination, and consumer protection, among others.” Steele highlighted recent Treasury recommendations primarily focused on using existing authorities held by the federal banking regulators and the CFPB as a way to coordinate supervision of bank-fintech partnerships and credit underwriting models. Another area of concern, Steele noted, are big technology firms—those that generally seek to enter the consumer finance market via relationships with banks and third-party fintech firms, and who avoid prudential regulation, supervision, and risk-management requirements that would apply if they offered banking services. “Big Tech firms may have incentives to leverage their existing commercial relationships, consumer data, and other resources to enter new markets, expand their networks and offerings, and scale rapidly to achieve capabilities that others—including depository institutions—do not have and cannot replicate,” Steele said.
Steele also touched on Treasury’s objectives for crypto assets, in which he referred to several studies examining “the potential financial stability implications of crypto-asset activities” and the risks and opportunities they might present to consumers, investors, and businesses. He also addressed concerns about misleading claims and representations in this space (for example, with respect to the availability of deposit insurance) and noted that there exist several gaps in existing authorities over crypto assets. Finally, Steele discussed a recent Treasury report, which examined potential benefits and challenges associated with the adoption of cloud services technology by financial services firms (covered by InfoBytes here).
Fed cautions banks regarding crypto risks
On February 10, Federal Reserve Board Governor Christopher J. Waller gave a speech on the cryptocurrency ecosystem and digital assets before attendees at the Global Interdependence Center Conference: Digital Money, Decentralized Finance, and the Puzzle of Crypto. Waller provided a broad overview of digital assets and digital ledger technologies and briefly discussed the use of smart contracts in peer-to-peer trading, as well as their potential to automate the execution of certain transactions in non-crypto-assets such as securities transactions. He also highlighted risks associated with another emerging technology—tokenization—which, he explained, “when combined with data vaults to securely store personal information, can be used to trade objects in a way that protects one’s identity from being exploited for profit.” Waller commented that these potential applications could also “lead to substantial productivity enhancements in other industries” beyond the crypto ecosystem.
Waller went on to express support for prudent innovation but expressed concerns about banks engaging in activities that expose them to a heightened risk of fraud, scams, and legal uncertainties. “As with any customer in any industry, a bank engaging with crypto customers would have to be very clear about the customers’ business models, risk-management systems, and corporate governance structures to ensure that the bank is not left holding the bag if there is a crypto meltdown,” Waller stated. “And banks considering engaging in crypto-asset-related activities face a critical task to meet the ‘know your customer’ and ‘anti-money laundering’ requirements, which they in no way are allowed to ignore.”
Agencies warn banks of crypto-asset risks
On January 3, the FDIC, Federal Reserve Board, and OCC issued a joint interagency statement highlighting key risks banks should consider when choosing to engage in cryptocurrency-related services. Risks flagged by the agencies include: (i) the possibility of fraud and scams among crypto-asset sector participants; (ii) legal uncertainties related to custody practices, redemptions, and ownership rights; (iii) misleading disclosures made by crypto firms that may be unfair, deceptive, or abusive; (iv) volatility in crypto-asset markets, including the susceptibility of stablecoins to run risk, which could impact deposit flows; (v) contagion risks resulting from interconnections among crypto-asset participants that may present concentration risks for banks with exposure to the crypto-asset sector; (vi) lack of maturity in risk management and governance practices within the crypto-asset sector; and (vii) elevated risks associated with open, public, and/or decentralized networks.
The agencies commented that while they will continue to take a cautious approach to current or proposed crypto-asset-related activities (and are not prohibiting nor discouraging banks from providing crypto services to customers, as permitted by law or regulation), they currently “believe that issuing or holding as principal crypto-assets that are issued, stored, or transferred on an open, public, and/or decentralized network, or similar system is highly likely to be inconsistent with safe-and-sound banking practices.” Moreover, the agencies expressed “significant safety and soundness concerns with business models that are concentrated in crypto-asset-related activities or have concentrated exposures to the crypto-asset sector.” Agencies have developed processes for banks to engage in robust supervisory discussions with their supervisory office about any proposed or existing crypto-asset-related activities, the agencies advised, adding that before launching any activities, banks should take appropriate risk management measures and assess whether the activity can be performed in a safe and sound manner, is legally permissible, and complies with applicable laws and regulations. Additional statements will be released in the future by the agencies.
“The events of the past year have been marked by significant volatility and the exposure of vulnerabilities in the crypto-asset sector,” the agencies said as they stressed the importance of keeping crypto-asset risks that cannot be mitigated or controlled from migrating to the banking system.
The OCC separately issued a bulletin advising supervised banks to follow processes outlined in OCC Interpretive Letter 1179 (covered by InfoBytes here) before engaging in certain crypto-asset-related activities.