PRA Dear CEO letter - Existing or planned exposure to cryptoassets

On 24 March 2022 the Prudential Regulation Authority (“PRA”) published a “Dear CEO” letter to all firms with existing or planned exposure to cryptoassets to remind them of their regulatory expectations in dealing with this asset class.

Sam Woods, Deputy Governor of Prudential Regulation and Chief Executive of the PRA, also announced in the letter the launch of a new survey. The aim of this is to capture responses on the extent of cryptoasset exposures amongst banks and investment firms, as well as the details of any strategies set out by the firms seeking to grow their cryptoasset related businesses. Responses must be submitted to the PRA by 2 June.

The most recent announcement follows a prior letter, issued in 2018, in which Woods had reminded PRA-regulated banks, insurers and investment firms of the Fundamental Rules in dealing with cryptoasset exposures. These relate to establishing effective risk management systems and strategies, as well as maintaining an “open and co-operative” relationship with the regulator. Woods also previously set out the PRA’s expectations regarding senior management accountability, remuneration policies and the appropriate safeguards a firm should have in place to appropriately mitigate the relatively larger risks involved in cryptoassets.

In the recent letter, Woods had flagged the following key considerations for relevant firms:

Strong Risk Controls

A Senior Management Function “SMF” should be actively involved in reviewing and signing off on the risk assessment framework for any planned business direct exposure to cryptoassets and/or entities heavily exposed to cryptoassets;
Some cryptoasset-related activities may require more frequent monitoring, greater uncertainty factored into its modelling or valuation, or lower risk tolerance levels than might typically be applied;
Firms may also need to rely to a greater extent on proxies within risk modelling, and make more material assumptions about relationships between differing exposures; and
Firms should also consider the use of stress tests to provide greater confidence that risks are being captured.

Prudential Framework

The PRA expects firms to actively discuss the proposed prudential treatment of cryptoasset exposures with their supervisors;
Firms should consider the full prudential framework when assessing and mitigating risks and exposures to cryptoassets, including:

PRA Fundamental Rules
Pillar 1 – The PRA Rulebook and Capital Requirements Regulation already contain requirements for firms to measure and mitigate risks relevant to crypto activities. However, in some areas these measures are not well calibrated to the risks observed in some cryptoassets (the letter noted that the Basel Committee on Banking Supervision is considering this specific issue);
Pillar 2 capital considerations; and
ICAAP.

Market Risk

For the vast majority of cryptoassets, particularly unbacked cryptocurrencies, firms should implement an appropriate capital requirement of 100% of the current value of the firm’s position;
The diversification and hedging framework adopted by firms should be conservative, and reflect the potential for such relationships to deteriorate in times of stress; and
Offsets between exposures which reference different securities underlying the cryptoasset are unlikely to be prudent in stress periods.

Credit Risk

Firms should consider whether the standardised approach captures the full counterparty credit risks associated with many cryptoassets, referencing Article 277 of SA-CCR.

Third Party / Outsourcing Risk

Firms should consider their ability (both legal and operational) to access and gain control of relevant assets in the event of third-party service provider failures.

The Financial Conduct Authority (“FCA”), in conjunction with the PRA’s letter, also issued a notice to firms with exposure to cryptoassets as a reminder of the wider considerations associated with this asset class, namely:

Compliance with the Money Laundering Regulations (2017, as amended) to ensure only firms registered with the FCA can carry out cryptoasset related activities. This is particularly important following the conclusion of the FCA’s Temporary Registration Regime for cryptoasset firms on 31 March 2022;
Compliance with the new Investment Firm Prudential Regime (“IFPR”) to assess and mitigate the potential harm to clients that could arise from the firm’s business, including cryptoassets;
“Consumer confusion” stemming from regulated firms providing services in relation to cryptoassets despite much of the cryptoasset sector still sitting outside of the FCA’s regulatory perimeter;
The need to review the firm’s counterparties to ensure no dealings are taking place with entities identified in the FCA’s “Unregistered Cryptoasset Businesses” list; and
Addressing the required risk mitigation activities noted in the FCA’s Dear CEO letter, issued in 2018, regarding guidance for staff training, financial crime frameworks, client due diligence and assessing source of funds where, in the cryptoasset sector, evidential trails may be weaker relative to other asset classes.

Red Flags

These FCA and PRA communications build upon the recently updated guidance, issued jointly by the UK’s Office of Financial Sanctions Implementation (“OFSI”) (which sits within HM Treasury), the Bank of England and the FCA on 11 March. This guidance relates to the legal and regulatory expectations of firms in supporting the sanctions placed on Russia and Belarus, which are continually evolving as the geopolitical situation evolves.

Regulators have publicly noted, since the start of March, the various methods that could be deployed by corporations and wealthy individuals to bypass the current sanctions measures using cryptoassets, custodian wallets and exchanges. The joint statement included guidance on compliance with UK Money Laundering Regulations and the typical red flags that firms should look out for within cryptoasset transactions. These include examples of activity such as:

A client undertaking transactions with jurisdictions subject to sanctions and/or categorised as high risk for anti-money laundering (“AML”) and counter terrorist financing (“CTF” purposes;
Transactions to or from a wallet address associated with a sanctioned entity, or a wallet address otherwise deemed to be high-risk based on its transaction history;
Transactions involving a cryptoasset exchange or custodian wallet provider known to have poor customer due diligence procedures/controls or which is otherwise deemed high-risk; and
The use of tools designed to cover up the location of the client (e.g. an IP address associated with a virtual private network (“VPN”) or proxy) or source of the cryptoassets (e.g. “mixers” and “tumblers”, services offered to allow cryptoasset holders to comingle their cryptocoins with other funds to help obscure the source of the cryptoassets).

The ongoing, and fast-evolving, geopolitical crisis within Eastern Europe, and its heightened media focus, means it is ever more crucial for regulated firms involved in cryptoassets to act promptly to ensure regulatory compliance is assured, governance processes remain robust in managing business activities within the firm’s established risk appetite and staff are appropriately trained to work within the updated sanction measures.

How can BDO help?

BDO’s Economic Crime Advisory team is a dedicated, London-based practice who specialise in regulatory framework interpretation, implementation and optimisation. We work closely with a wide range of firms, locally and internationally, who are impacted by the UK regulatory remit across multiple sectors including financial services; gaming and betting; legal and professional services; the art market; and cryptoassets. We have a deep understanding of their businesses and the specific environments in which they operate, enabling us to act as a strategic partner, providing clear advice which is both balanced and constructive. We have worked with firms to support them in their journey through the FCA’s TRR to independently assess and support the enhancement of their AML, CTF and Sanctions compliance frameworks.

Our team comprises of experienced economic crime professionals with a background in consulting, industry and the regulator (namely the UK’s Financial Conduct Authority (“FCA”) and Treasury), and so we bring a wealth of practical experience and knowledge to support you in understanding and complying with your regulatory obligations. We also benefit from deep subject matter expertise gained from our hands-on experience, and through the completion of the International Compliance Association’s “Demystifying Cryptoassets” course completed by some of our senior team members.

If you would like to understand more about how the recently announced measures and guidance on cryptoassets could affect your business and the steps which you should be taking now, please get in touch with our Economic Crime Advisory team: Fiona Raistrick, Partner, Michael Knight-Robson, Director, Clarinda Grundy, Senior Manager.