Risky Business - PRA sets out expectations on firms engaging in cryptoasset activities

Last week the PRA published a letter directed to the CEOs of banks and PRA-designated investment firms regarding their exposures to cryptoassets. This was one of a number of publications released at the same time and which included:

1. the Financial Policy Committee's assessment of the role that cryptoassets and associated markets currently play in the UK and internationally (my colleague, David Kasal, has done a separate blogpost on this);
2. the Bank of England's summary of the responses it received to its Discussion Paper on New Forms of Digital Money; and
3. a statement from the FCA highlighting certain risks related to crypto activities, including financial crime and custody risks.

The new PRA letter is consistent with, but expands upon, the Dear CEO letter published back in 2018 on the same topic (it even has the same title!). Appropriate assessment and mitigation of risk remains front and centre for the PRA. Over the last few years it has leveraged its 2018 letter and its Fundamental Rules to apply ever-more-detailed scrutiny to the risk assessment and management frameworks applied by PRA-regulated firms. It appears that this scrutiny is only likely to intensify and banks and PRA-designated investment firms would do well to pay attention to this if they have any dealings in cryptoassets, especially in light of the PRA's express expectation that a senior management function (SMF) holder should not only be responsible for, but actively involved in, reviewing and signing off risk assessment frameworks applicable to exposures to cryptoassets.

The letter also focuses on the prudential framework applicable to cryptoasset holdings and dealings by firms, which is not something which was dealt with at any length in the 2018 letter. While the Basel Committee on Banking Standards and other international bodies are currently considering how cryptoasset exposures should be treated from a prudential exposure, there is no set framework at present and so it is helpful that the PRA has set out its expectations, even if these are often that cryptoasset-related exposures more often than not fall to be treated in the "other" categories in the UK Capital Requirements Regulation, which is generally not particularly favourable. Indeed, the main takeaway appears to be that the existing prudential framework should be applied, but where there is doubt or choice it's probably best to apply it in the most conservative way available. 

There are also comments towards the end of the letter about Pillar 2 assessments and the particular relevance of operational risks to (certain) crypto-related activities. Interestingly, these include for the first time I can recall a reference by the PRA to the particular risks arising from the custody of cryptoassets. What happens in the event of the insolvency of a firm's (or a firm's client's) cryptoasset custodian should, in my mind, be very much towards the top of the list of a firm's considerations when entering the cryptoasset market.

As a final comment, it's interesting to see the increasingly joined-up approach that the regulators are taking in the delivery of messages in this area - see also the joint statement on sanctions and the cryptoasset sector issued just a few weeks ago. The regulators are clearly keen to demonstrate that they are on the same page when it comes to their approach to risks in the sector. However, one can't help but feeling that the approach is always going to be fairly piecemeal until activities relating to cryptoassets fall within the wider regulatory perimeter.